HP UX Identity Security Software manual Nsslapd-maxsasliosize Maximum Sasl packet size

is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:

Not listening for new connections -- too many fds open

See “nsslapd-conntablesize”for more information about increasing the number of incoming connections.

NOTE:

UNIX shells usually have configurable limits on the number of file descriptors. See the operating system documentation for further information about limit and ulimit, as these limits can often cause problems.

The server has to be restarted for changes to this attribute to go into effect.

2.3.1.71nsslapd-max-filter-nest-level (Maximum search filter nesting level)

This attribute sets the level of nesting allowed in search filters. Setting this parameter to 0 or a negative number removes any limit on the depth of the nested filters.

2.3.1.72 nsslapd-maxsasliosize (Maximum SASL packet size)

When a user is authenticated to the Directory Server over SASL GSS-API, the server must allocate a certain amount of memory to the client to perform LDAP operations, according to how much memory the client requests. It is possible for an attacker to send such a large packet size that it crashes the Directory Server or ties it up indefinitely as part of a denial of service attack.

The packet size which the Directory Server will allow for SASL clients can be limited using the nsslapd-maxsasliosizeattribute. This attribute sets the maximum allowed SASL IO packet size that the server will accept.

When an incoming SASL I/O packet is larger than the nsslapd-maxsasliosizelimit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary.

50 Core server configuration reference