 |
» |
|
|
|
The advantage of an LDAP directory over flat files for naming
and authentication services is its design for quick access to information
in large databases. Still, with very large databases, administrators,
and users should be aware of the following performance impacts: Enumeration
Requests | |
Enumeration requests are directory queries that request all
of a database, for example all users or all groups. Enumeration
requests of large databases can reduce network and server performance.
For this reason, you may want to restrict the use of the following
commands that generate enumeration requests: Also, applications written with the ggetpwent(3C) or getgrent(3C) family of routines can enumerate a map, depending
on how they are written. It may be possible to rewrite these applications so that an
LDAP search request is used instead of a call to getpwent or getgrent. Search
Limits | |
The default configuration for Active Directory sets the search
size limit to 1,000 entries and the search time limit to two minutes.
Setting search limits prevents users from consuming all the resources
of a directory and helps to minimize "denial of service" attacks;
however, on large databases they will not be enough to service commands
or applications that generate enumeration requests. You can use
the support tool ntdsutil to change these two values. ntdsutil can be installed from the Windows 2000 Server CD in
the \SUPPORT\TOOLS folder. | | | |  | NOTE: The search time limit set during the setup procedure
specifies the search timeout on the client side. To service enumeration
requests, this parameter may need to be adjusted accordingly. | | | | |
On your domain controller, click Start, then Run.
In
the Open box, enter ntdsutil, then click OK. Enter ldap policies, and then press the Enter key.
You can enter the ? symbol at
any of the prompts in the ntdsutil tool to see a list of available commands. Enter connections, and then press the Enter key. Enter connect to server <servername>, where <servername> is the name of server you want to use, and then press
the Enter key. At the server connections:
prompt, enter quit, and then press the Enter key. Enter set maxpagesize to <size>, where the <size> is the maximum number of search objects that you
want the Active Directory to return for a search, and then press
the Enter key. Enter set maxqueryduration to <time>, where the <time> is the maximum number of seconds to wait for a search
request to complete, and then press the Enter key. Enter show values then press the Enter key.
This verifies the new values are set correctly. Enter Commit Changes, and then press the Enter key. Enter quit then press the Enter key
to quit ldap policies. Enter quit then press the Enter key
to quit ntdsutil.
Search
Filter | |
If enumeration requests cannot be avoided, consider the use
of customized search descriptors for each of your name services. Customized
search descriptors can improve enumeration cases because it limits
the search only to the paths (containers) where the required data
resides. For example, if your default search DN is set to your domain
root DC=cup, DC=hp, DC=com, you can improve performance if you change the search
base DN to search user and group information to CN=Users, DC=cup, DC=hp, DC=com for the passwd and group services. |
Printable version
