To limit the amount of resources used by the server, an administrator can set search parameters to restrict users' search capabilities. Search capabilities can also be extended for special users. User searches can be restricted or extended using these methods:
Restrict search
Extend search
Paged search
Paged results allow a client to manage the amount of data returned from a search request. A client can request a subset of entries (a page) instead of receiving all the results from the server at once. Subsequent search requests return the next page of results until the operation is canceled or the last result is returned. The administrator can restrict its use by only allowing administrators to use it.
Sorted search
Sorted search allows a client to receive search results sorted by a list of criteria, where each criterion represents a sort key. This moves the responsibility of sorting from the client application to the server. The administrator can restrict its use by only allowing administrators to use it.
Disable alias dereferencing
A directory entry with objectclass of alias or aliasObject contains the attribute aliasedObjectName, which is used to reference another entry in the directory. Only search requests can specify if aliases are dereferenced. Dereferencing means to trace the alias back to the original entry. The IBM Directory Server response time for searches with the alias dereferencing option set to always or search might be significantly longer than that of searches with dereferencing option set to never, even if no alias entries exist in the directory. Two settings determine the server's alias dereference behavior: the dereferencing option specified by the client's search request and the dereference option as configured in the server by the administrator. If configured to do so, the server can automatically bypass alias dereferencing if no alias objects exist in the directory as well as override the dereference option specified in client search requests. The following table describes how alias dereferencing is hashed between the client and the server.
| Server | Client | Actual |
|---|---|---|
| never | any setting | never |
| always | any setting | the client's setting |
| any setting | always | the server's setting |
| search | find | never |
| find | search | never |
Search limit groups
An administrator can create search limit groups that can have more flexible search limits than the general user. The individual members or groups contained in the search limit group are granted less restrictive search limits than those imposed on general users.
When a user initiates a search, the search request limitations are first checked. If a user is a member of a search limit group, the limitations are compared. If the search limit group limitations are higher than those of the search request, the search request limitations are used. If the search request limitations are higher than those of the search limit group, the search limit group limitations are used. If no search limit group entries are found, the same comparison is made against the server search limitations. If no server search limitations have been set, the comparison is made against the default server setting. The limitations used are always the lowest settings in the comparison.
If a user belongs to multiple search limit groups, the user is granted up to the highest level of search capability. For example, the user belongs to search group 1, which grants search limits of search size 2000 entries and search time of 4000 seconds, and to search group 2, which grants search limits of search size unlimited entries and a search time of 3000 seconds. The user has the search limitations of search size unlimited and search time of 4000 seconds.
Search limit groups can be stored under either localhost or IBMpolicies. Search limit groups under IBMpolicies are replicated; those under localhost are not. You can store the same search limit group under both localhost and IBMpolicies. If the search limit group is not stored under one of these DNs, the server ignores the search limit part of the group and treats it as a normal group.
When a user initiates a search, the search limit group entries under localhost are checked first. If no entries are found for the user, the search limit group entries under IBMpolicies are then searched. If entries are found under localhost, the search limit group entries under IBMpolicies are not checked. The search limit group entries under localhost have priority over those under IBMpolicies.
For more information on search parameters, see:
