3.1.1.5.2.5 Quota Calculation

  • Artikel

Quotas control the number of objects (including tombstones, deleted-objects, and recycled-objects) that a security principal can own within an NC. A security principal is considered the "owner" of an object if the OWNER field in the object's nTSecurityDescriptor value equals the SID of the security principal. In the event the object owner changes, the quota (USAGE) for the existing and potential new owner is recalculated.

The quota is not enforced in two cases:

  • When the requester of an operation is not the same as the potential owner.

  • When the requester has specified the LDAP_SERVER_BYPASS_QUOTA_OID control and has been granted the control access right DS-Bypass-Quota on the object that is the root of the NC in which the operation is to be performed.

When a quota is enforced, the USAGE value for the requester is computed. When the USAGE value computed for a requester exceeds their MAX-USAGE value (see below), add, undelete (reanimation), delete, and change-of-owner operations are prevented for the requester and the server returns the adminLimitExceeded / STATUS_QUOTA_EXCEEDED error.

The USAGE value is computed as follows:

USAGE = owned_existing_objects + ceil(tombstone-factor/100 * owned_deleted_objects)

In the preceding formula, owned_existing_objects is the total number of existing-objects that the requester owns. owned_deleted_objects is the total number of tombstones, deleted-objects, or recycled-objects (see the Delete operation in section 3.1.1.5.5) that the requester owns. tombstone-factor is the integer value stored in the msDS-TombstoneQuotaFactor attribute on the Quotas container in the NC. Ceil() is the "ceiling" mathematical function.

The MAX-USAGE value is computed as follows:

  1. A set of applicable msDS-QuotaControl objects in the Quotas container is obtained. An msDS-QuotaControl object is applicable for the requester if its msDS-QuotaTrustee attribute contains a SID that is present in the requester's authorization information.

  2. If the set of applicable msDS-QuotaControl objects is non-empty, then the maximum value of the msDS-QuotaAmount attribute is chosen as the MAX-USAGE value.

  3. If the set of applicable msDS-QuotaControl objects is empty, then the value of the msDS-DefaultQuota attribute on the Quotas container is chosen as the MAX-USAGE value.