What is the difference between dxSizeLimit and max-op size ?

set max-op-size = 3000 and dxSizeLimit is set to 5000
What will happen if a search operation should return 4000 entries ?

What about dxTimeLimit and max-op-time ?

Release : 12.x, 14.x

Component : CA Directory

Both dxSizeLimit and max-op-size allow to limit the number of entries returned by search requests in order to improve performance.
dxTimeLimit and max-op-time allow to limit the time spent serving search requests. Reasonable setting of time limits also improve Directory performance.

There is also a possibility for an LDAP or DAP client to set size and/or time limits in search requests (for instance using -z and/or -l parameters in dxsearch/ldapsearch command).

dxSizeLimit and dxTimeLimit are role based administrative limits. They apply to all users who are members of a role where the limits are set.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/manage-operations/limit-operations/role-based-limits.html

max-op-size and max-op-time are DSA limits and are set in a DSA configuration using set max-op-size and set max-op-time commands.

In our example
set max-op-size = 3000 and dxSizeLimit is set to 5000

We can not immediately tell what will happen if a search operation should potentially return 4000 entries.
It depends on where those 4000 entries are actually stored.

1. All 4000 entries to be returned are stored in the DSA where max-op-size is set to 3000.
   In this case only 3000 entries will be returned, and the search operation will fail with error code 11 (Administrative limit exceeded).
2. It is a a distributed request. Only 2000 entries are stored in the DSA where max-op-size is set to 3000, while other 2000 entries are stored in other DSAs.
   In this case search operation is successful and all 4000 entries are returned.
   max-op-size is enforced by the DSA only locally, entries received from other DSAs are not counted.

In case of a distributed request with max-op-time limit set in a DSA the situation is a different.
If the request is chained or multi-chained to other DSA(s), the local DSA still has a reference to the request. This reference is impacted by the time limit even though the request is serviced by one or more remote DSAs.
For instance, the local DSA from the above example also has max-op-time set to 5. Local search operation finished in just 3 seconds, but remote DSA did not provide the result within 5 seconds. The DSA returned 2000 entries and the search request failed with error 11.

Please also note that both max-op-time and max-op-size limits apply to any single page returned by a DSA, but not to the whole search operation where paging is used.