Export (0) Print
Expand All

3.1.1.3.4.6 LDAP Policies

The DC'sLDAP interface supports various policies that can be configured by an administrator. The names of these policies are listed on the supportedLDAPPoliciesattribute on the rootDSE. These policies are listed in the following table, which also lists which versions of Windows and Active Directory Application Mode (ADAM) support which policies.

Policy name

Windows 2000 operating system

Windows Server 2003 operating system, ADAM, and Windows Server 2008 operating system

Windows Server 2008 R2 operating system

Windows Server 2012 operating system and Windows Server 2012 R2 operating system

MaxActiveQueries

X*

     

InitRecvTimeout

X

X

X

X

MaxConnections

X

X

X

X

MaxConnIdleTime

X

X

X

X

MaxDatagramRecv

X

X

X

X

MaxNotificationPerConn

X

X

X

X

MaxPoolThreads

X

X

X

X

MaxReceiveBuffer

X

X

X

X

MaxPageSize

X

X

X

X

MaxQueryDuration

X

X

X

X

MaxResultSetSize

X

X

X

X

MaxTempTableSize

X

X

X

X

MaxValRange

 

X

X

X

MaxResultSetsPerConn

   

X

X

MinResultSets

   

X

X

MaxBatchReturnMessages

     

X

* Support for this policy was removed in Windows Server 2003.

LDAP policies are specified using the lDAPAdminLimits attribute. The lDAPAdminLimits attribute of a queryPolicyobject is a multivalued string where each string value encodes a name-value pair. In the encoding, the name and value are separated by an "=". For example, the encoding of the name "MaxActiveQueries" with value "0" is "MaxActiveQueries=0". Each name is the name of an LDAP policy, and the value is a value of that policy.

There can be multiple queryPolicy objects in a forest. A DC determines the queryPolicy object that contains its policies according to the following logic:

  • If the queryPolicyObject attribute is present on the DC's nTDSDSA object, the DC uses the queryPolicy object referenced by it.

  • Otherwise, if the queryPolicyObject attribute is present on the nTDSSiteSettings object for the site to which the DC belongs, the DC uses the queryPolicy object referenced by it.

  • Otherwise, the DC uses the queryPolicy object whose DN is "CN=Default Query Policy,CN=Query-Policies" relative to the nTDSService object (for example, "CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services" relative to the root of the config NC).

The effect of setting an LDAP policy is outside the state model. The effect of each policy, as well as the default value used if the policy's value is not specified in an lDAPAdminLimits attribute, is shown in the following table.

Policy name

Default value

Description

MaxActiveQueries

20

The maximum number of concurrent LDAP search operations that are permitted to run at the same time on a DC. When this limit is reached, the DC returns a busy / ERROR_DS_ADMIN_LIMIT_EXCEEDED error.

InitRecvTimeout

120

The maximum time, in seconds, that a DC waits for the client to send the first request after the DC receives a new connection. If the client does not send the first request in this amount of time, the server disconnects the client.

MaxConnections

5000

The maximum number of simultaneous LDAP connections that a DC will accept. If a connection comes in after the DC reaches this limit, the DC will drop another connection. The connection that is selected to drop is not constrained by the protocol and is determined based on the implementation.

MaxConnIdleTime

900

The maximum time, in seconds, that the client can be idle before the DC closes the connection. If a connection is idle for more than this time, the DC disconnects the client.

MaxDatagramRecv

4096

The maximum size, in bytes, of a UDP datagram request that a DC will process. Requests that are larger than this value are ignored by the DC.

MaxNotificationPerConn

5

The maximum number of outstanding notification search requests (using the LDAP_SERVER_NOTIFICATION_OID control) that the DC permits on a single connection. When this limit is reached, the server returns an adminLimitExceeded / ERROR_DS_ADMIN_LIMIT_EXCEEDED error to any new notification searches that are requested on that connection.

MaxPoolThreads

4

The maximum number of threads per processor that a DC dedicates to listening for network input or output. This value also determines the maximum number of threads per processor that can work on LDAP requests at the same time.

MaxReceiveBuffer

10,485,760

The maximum size, in bytes, of a request that the server will accept. If the server receives a request that is larger than this, it will drop the connection.

MaxPageSize

1000

The maximum number of objects that are returned in a single search result, independent of how large each returned object is. To perform a search where the result might exceed this number of objects, the client must specify the paged search control.

MaxQueryDuration

120

The maximum time, in seconds, that a DC will spend on a single search or batched LDAP extended operation (in Windows Server 2012 and Windows Server 2012 R2). When this limit is reached, the DC returns a timeLimitExceeded / ERROR_INVALID_PARAMETER error.

MaxResultSetSize

262,144

The maximum number of bytes that a DC stores to optimize the individual searches that make up a paged search. The data that is stored is outside the state model and is implementation-specific.

MaxTempTableSize

10,000

The maximum number of rows that a DC will create in a temporary database table to hold intermediate results during query processing.

MaxValRange

1500

The maximum number of values that can be retrieved from a multivalued attribute in a single search request. Windows 2000 DCs do not support this policy and instead always use a setting of 1000 values.

MaxResultSetsPerConn

10

The maximum number of individual paged searches per LDAP connection for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.

MinResultSets

3

The minimum number of individual paged searches for which a DC will store optimization data. The data that is stored is outside the state model and is implementation-specific.

MaxBatchReturnMessages

1100

The maximum number of messages that can be returned when processing an LDAP_SERVER_BATCH_REQUEST_OID extended operation (section 3.1.1.3.4.2.5).

 
Show:
© 2014 Microsoft