Managing Lightweight Directory Access Protocol Policies

To ensure that domain controllers can support service level guarantees, you need to specify operational limits for a number of Lightweight Directory Access Protocol (LDAP) operations. These limits prevent specific operations from adversely impacting the performance of the server and also make the server resilient to denial of service attacks.

LDAP policies are implemented by using objects of the class queryPolicy. Query Policy objects can be created in the container Query Policies, which is a child of the Directory Service container in the configuration naming context. For example: cn=Query-Policies, cn=Directory Service, cn=Windows NT, cn=Services <configuration naming context>.

A domain controller uses the following three mechanisms to apply LDAP policies:

• A domain controller might refer to a specific LDAP policy. The nTDSASettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
• In the absence of a specific query policy being applied to a domain controller, the domain controller applies the Query Policy that has been assigned to the domain controller's site. The ntDSSiteSettings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
• In the absence of a specific domain controller or site Query Policy, a domain controller uses the default query policy named Default-Query Policy.

A Query Policy object includes the multivalued attributes LDAPIPDenyList and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administration limits and IP Deny list for the Default-Query Policy object.

The LDAP administration limits (with defaults in parentheses) are the following:

InitRecvTimeout   Initial receive time-out (120 seconds).

MaxConnections   Maximum number of open connections (5000).

MaxConnIdleTime   Maximum amount of time a connection can be idle (900 seconds).

MaxActiveQueries   Maximum number of queries that can be active at one time (20).

MaxNotificationPerConnection   Maximum number of notifications that a client can request for a given connection (5).

MaxPageSize   Maximum page size supported for LDAP responses (1000 records).

MaxQueryDuration   Maximum length of time the domain controller can execute a query (120 seconds).

MaxTempTableSize   Maximum size of temporary storage allocated to execute queries (10,000 records).

MaxResultSetSize   Maximum size of the LDAP Result Set (262144 bytes).

MaxPoolThreads   Maximum number of threads created by the domain controller for query execution (4 per processor).

MaxDatagramRecv   Maximum number of datagrams that can be processed by the domain controller simultaneously (1024).

Table C.8 lists and describes the LDAP policies commands.

Table C.8 LDAP Policies Commands

© 1985-2000 Microsoft Corporation. All rights reserved.