Versions Compared

Old Version 3

changes.mady.by.user Arto Vainiolehto

Saved on

compared with

New Version 4

changes.mady.by.user Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are configuration parameters to tune this cleanup process which can be set as ubiloginConfString configuration values for the ubiloginService service with com.ubisecure.ubilogin.session.manager.ldap.SessionManagerFactoryLDAP as the ubiloginClassName className.

  • cleanupInterval

    • The interval (in seconds) in which an SSO node performs session cleanup.

    • Default: 60

  • cleanupLockEnabled

    • If set to true, SSO checks that it is able to obtain a lock before performing session cleanup.

    • If set to false, SSO doesn’t check for a lock before performing session cleanup.

    • Default: true

  • cleanupLockCheckWait

    • The time (in seconds) how long an SSO node waits before starting session cleanup to check if it was able to obtain lock successfully. This is to control the race condition of two or more nodes from trying to obtain the lock at same time.

    • Default: 10

  • cleanupLockTimeout

    • The time (in seconds) after which a lock can be forcefully released and given to another SSO node. That’s to mitigate the possibility that a lock is left active in case of an unexpected software error by allowing active SSO nodes to obtain a lock even if one already exists, provided that the age of the existing lock is older than the value specified for this parameter.

    • Default: 600

For exampleTo create or modify the service:

Code Block
dn: cn=SessionManagerFactoryLDAP,cn=Services,ou=System,@suffix@
changetype:add
objectClass: ubiloginService
cn: SessionManagerFactoryLDAP
ubiloginClassName: PUT /sso-api/service/SessionManagerFactoryLDAP HTTP/1.1

className=com.ubisecure.ubilogin.session.manager.ldap.SessionManagerFactoryLDAP
ubiloginConfString: cleanupInterval 240
ubiloginConfString: cleanupLockCheckWait 15
ubiloginConfString: cleanupLockTimeout 300

dn: cn=ServerSession,ou=System,@suffix@
changetype: modify
replace: ubiloginServiceDN
ubiloginServiceDN: cn=SessionManagerFactoryLDAP,cn=Services,ou=System,@suffix@
-

Note that @suffix@ must be expanded to the value of attribute suffix in unix.config.

The change can be done using for example Apache Directory Studio, or you can create an ldif file to change the file, and load the data using import script:

...

&configuration=cleanupLockEnabled%20true
&configuration=cleanupInterval%20240
&configuration=cleanupLockCheckWait%2015
&configuration=cleanupLockTimeout%20300

The service must also be linked to the sessionStore/ServerSession for the configuration to be active.

Code Block
PUT /sso-api/sessionStore/ServerSession/$link/service/SessionManagerFactoryLDAP HTTP/1.1

Any of these changes require SSO Server to be restarted.