 |
» |
|
|
|
The advantage of an LDAP directory over flat files for naming
and authentication services is its design for the quick lookup of
information in large databases. Still, with very large databases,
administrators and users should be aware of the following performance
impacts: Enumeration
Requests | |
Enumeration requests are directory queries that request all
of a database, for example all users or all groups. Enumeration
requests of large databases could reduce network and server performance.
For this reason, you may want to restrict the use of the following
commands that generate enumeration requests: Also, applications written with the getpwent(3C) or getgrent(3C)
family of routines can enumerate a map, depending on how they are
written. It may be possible to rewrite these applications so that an
LDAP search request is used instead of a call to getpwent or getgrent. Search
Limits | |
The default configuration for Active Directory sets the search
size limit to 1,000 entries and the search time limit to 2 minutes.
Setting search limits prevents users from consuming all the resources
of a directory and helps to minimize "denial of service" attacks;
however, on large databases they will not be enough to service commands
or applications that generate enumeration requests. You can use
the support tool ntdsutil to change these
two values. ntdsutil can be installed from the Windows 2000 Server
CD in the \SUPPORT\TOOLS folder. | | | |  | NOTE: The search time limit set during the setup procedure
specifies the search timeout on the client side. To service enumeration
requests, this parameter may need to be adjusted accordingly. | | | | |
On your domain controller, click Start,
then click Run.
In the Open box, type ntdsutil, then click
OK. Type ldap policies and then press ENTER. You can type? at any of the prompts
in the ntdsutil tool to see a list of available commands. Type connections, and then press ENTER. Type connect to server <servername>, where <servername> is the name of server you want to use, and then press
ENTER. At the "server connections:"
prompt, type quit, and then press ENTER. Type set maxpagesize to <size>, where the <size> is the maximum number of search objects that you
want the Active Directory to return for a search, and then press
ENTER. Type set maxqueryduration to <time>, where the <time> is the maximum number of seconds to wait for a search
request to complete, and then press ENTER. Type show values then press ENTER. This is to verify if the new values
are set correctly. Type Commit Changes, and then press ENTER. Type quit then press ENTER to quit from "ldap policies". Type quit then press ENTER to quit from ntdsutil.
Search
Filter | |
If enumeration requests cannot be avoided, you may want to
consider the use of customized search descriptors for each of your
name services. Customized search descriptors can improve enumeration
cases because it limits the search only to the paths (containers)
where the required data resides. For example, if your default search DN is set to your domain
root DC=cup, DC=hp, DC=com, you can improve performance if you change the
search base DN to search user and group information to CN=Users, DC=cup,
DC=hp, DC=com for the passwd and group services. |
Printable version
