Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Prerequisities

All the steps before this step in Linux high availability setup - SSO must have been done.

When SSO uses OpenLDAP Ubilogin Directory as the session store, SSO cleans expired session objects at regular intervals. To prevent two or more SSO nodes from performing the cleanup at the same time, a locking mechamism is in use to allow only one node at a time to perform the cleanup.

With ADLDS Ubilogin Directory as the session store, sessions are stored as dynamic objects and are cleaned automatically by ADLDS itself. Therefore, with dynamic session objects, SSO doesn’t perform any cleanup of expired sessions at regular intervals.

There are configuration parameters to tune this cleanup process which can be set as ubiloginConfString values for the ubiloginService with com.ubisecure.ubilogin.session.manager.ldap.SessionManagerFactoryLDAP as the ubiloginClassName.

  • cleanupInterval

    • The interval (in seconds) in which an SSO node performs session cleanup.

    • Default: 60

  • cleanupLockEnabled

    • If set to true, SSO checks that it is able to obtain a lock before performing session cleanup.

    • If set to false, SSO doesn’t check for a lock before performing session cleanup.

    • Default: true

  • cleanupLockCheckWait

    • The time (in seconds) how long SSO node waits before starting session cleanup to check if it was able to obtain lock successfully. This is to control the race condition of two or more nodes from trying to get the lock at same time.

    • Default: 10

  • cleanupLockTimeout

    • The time (in seconds) after which a lock can be forcefully released and given to another SSO node. That’s to mitigate the possibility, that a lock is left active when an unexpected software error happens, by allowing active SSO nodes to obtain a lock even if one already exists, provided that the age of the existing lock is older than the value specified for this parameter.

    • Default: 600

For example:

dn: cn=SessionManagerFactoryLDAP,cn=Services,ou=System,@suffix@
changetype:add
objectClass: ubiloginService
cn: SessionManagerFactoryLDAP
ubiloginClassName: com.ubisecure.ubilogin.session.manager.ldap.SessionManagerFactoryLDAP
ubiloginConfString: cleanupInterval 240
ubiloginConfString: cleanupLockCheckWait 15
ubiloginConfString: cleanupLockTimeout 300

dn: cn=ServerSession,ou=System,@suffix@
changetype: modify
replace: ubiloginServiceDN
ubiloginServiceDN: cn=SessionManagerFactoryLDAP,cn=Services,ou=System,@suffix@
-

Note that @suffix@ must be expanded to the value of attribute suffix in unix.config.

The change can be done using for example Apache DirectoryStudio, or you can create an ldif file to change the file, and load the data using import script:

./ldap/openldap/import.sh ldap/[name of file containing the changes].ldif

  • No labels

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.