146 lines
7.9 KiB
HTML
146 lines
7.9 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow"/>
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<title>Directory Server (LDAP) - Search parameters</title>
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
|
</head>
|
|
<body>
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
|
|
|
<img src="delta.gif" alt="Start of change" />
|
|
<a name="rzahysearchpar"></a>
|
|
<h2 id="rzahysearchpar">Search parameters</h2>
|
|
<p>To limit the amount of resources used by the server, an administrator can
|
|
set search parameters to restrict users' search capabilities. Search capabilities
|
|
can also be extended for special users. User searches can be restricted or
|
|
extended using these methods:</p>
|
|
<p><span class="bold">Restrict search</span></p>
|
|
<ul>
|
|
<li>Paged search</li>
|
|
<li>Sorted search</li>
|
|
<li>Disable alias dereferencing</li></ul>
|
|
<p><span class="bold">Extend search</span></p>
|
|
<ul>
|
|
<li>Search limit groups</li></ul>
|
|
<p><span class="bold">Paged search</span></p>
|
|
<p>Paged results allow a client to manage the amount of data returned from
|
|
a search request. A client can request a subset of entries (a page) instead
|
|
of receiving all the results from the server at once. Subsequent search requests
|
|
return the next page of results until the operation is canceled or the last
|
|
result is returned. The administrator can restrict its use by only allowing
|
|
administrators to use it.</p>
|
|
<p><span class="bold">Sorted search</span></p>
|
|
<p>Sorted search allows a client to receive search results sorted by a list
|
|
of criteria, where each criterion represents a sort key. This moves the responsibility
|
|
of sorting from the client application to the server. The administrator can
|
|
restrict its use by only allowing administrators to use it.</p>
|
|
<p><span class="bold">Disable alias dereferencing</span></p>
|
|
<p>A directory entry with objectclass of alias or aliasObject contains the
|
|
attribute aliasedObjectName, which is used to reference another entry in the
|
|
directory. Only search requests can specify if aliases are dereferenced. <span class="italic">Dereferencing</span> means to trace the alias back to the original
|
|
entry. The IBM Directory Server response time for searches with the alias
|
|
dereferencing option set to <span class="bold">always</span> or <span class="bold">search</span> might be significantly longer than that of searches with dereferencing
|
|
option set to <span class="bold">never</span>, even if no alias entries
|
|
exist in the directory. Two settings determine the server's alias dereference
|
|
behavior: the dereferencing option specified by the client's search request
|
|
and the dereference option as configured in the server by the administrator.
|
|
If configured to do so, the server can automatically bypass alias dereferencing
|
|
if no alias objects exist in the directory as well as override the dereference
|
|
option specified in client search requests. The following table describes
|
|
how alias dereferencing is hashed between the client and the server.</p>
|
|
<a name="wq40"></a>
|
|
<table id="wq40" width="100%" summary="" border="1" frame="border" rules="all">
|
|
<caption>Table 2. Actual alias dereferencing based on client and server settings</caption>
|
|
<thead valign="bottom">
|
|
<tr>
|
|
<th id="wq41" width="33%" align="left" valign="top">Server</th>
|
|
<th id="wq42" width="33%" align="left" valign="top">Client</th>
|
|
<th id="wq43" width="33%" align="left" valign="top">Actual</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody valign="top">
|
|
<tr>
|
|
<td valign="top" headers="wq41">never</td>
|
|
<td valign="top" headers="wq42">any setting</td>
|
|
<td headers="wq43">never</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq41">always</td>
|
|
<td headers="wq42">any setting</td>
|
|
<td headers="wq43">the client's setting</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq41">any setting</td>
|
|
<td headers="wq42">always</td>
|
|
<td headers="wq43">the server's setting</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq41">search</td>
|
|
<td headers="wq42">find</td>
|
|
<td headers="wq43">never</td>
|
|
</tr>
|
|
<tr>
|
|
<td headers="wq41">find</td>
|
|
<td headers="wq42">search</td>
|
|
<td headers="wq43">never</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
<p><span class="bold">Search limit groups</span></p>
|
|
<p>An administrator can create search limit groups that can have more flexible
|
|
search limits than the general user. The individual members or groups contained
|
|
in the search limit group are granted less restrictive search limits than
|
|
those imposed on general users.</p>
|
|
<p>When a user initiates a search, the search request limitations are first
|
|
checked. If a user is a member of a search limit group, the limitations are
|
|
compared. If the search limit group limitations are higher than those of the
|
|
search request, the search request limitations are used. If the search request
|
|
limitations are higher than those of the search limit group, the search limit
|
|
group limitations are used. If no search limit group entries are found, the
|
|
same comparison is made against the server search limitations. If no server
|
|
search limitations have been set, the comparison is made against the default
|
|
server setting. The limitations used are always the lowest settings in the
|
|
comparison.</p>
|
|
<p>If a user belongs to multiple search limit groups, the user is granted
|
|
up to the highest level of search capability. For example, the user belongs
|
|
to search group 1, which grants search limits of search size 2000 entries
|
|
and search time of 4000 seconds, and to search group 2, which grants search
|
|
limits of search size unlimited entries and a search time of 3000 seconds.
|
|
The user has the search limitations of search size unlimited and search time
|
|
of 4000 seconds.</p>
|
|
<p>Search limit groups can be stored under either localhost or IBMpolicies.
|
|
Search limit groups under IBMpolicies are replicated; those under localhost
|
|
are not. You can store the same search limit group under both localhost and
|
|
IBMpolicies. If the search limit group is not stored under one of these DNs,
|
|
the server ignores the search limit part of the group and treats it as a normal
|
|
group.</p>
|
|
<p>When a user initiates a search, the search limit group entries under localhost
|
|
are checked first. If no entries are found for the user, the search limit
|
|
group entries under IBMpolicies are then searched. If entries are found under
|
|
localhost, the search limit group entries under IBMpolicies are not checked.
|
|
The search limit group entries under localhost have priority over those under
|
|
IBMpolicies.</p>
|
|
<p>For more information on search parameters, see:</p>
|
|
<ul>
|
|
<li><a href="rzahysearch-pi.htm#rzahysearch-pi">Adjust search settings</a></li>
|
|
<li><a href="rzahysearchentry.htm#rzahysearchentry">Search the directory entries</a></li>
|
|
<li><a href="rzahymansearchgroup.htm#rzahymansearchgroup">Manage search limit groups</a></li></ul><img src="deltaend.gif" alt="End of change" />
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
|
</body>
|
|
</html>
|