Configuring cleanup of expired SSO sessions in OpenLDAP

Prerequisities

All the steps before this step in Linux high availability setup - SSO must have been done.

When SSO uses OpenLDAP Ubilogin Directory as the session store, SSO cleans expired session objects at regular intervals. To prevent two or more SSO nodes from performing the cleanup at the same time, a locking mechamism is in use to allow only one node at a time to perform the cleanup.

There are configuration parameters to tune this cleanup process which can be set as configuration values for the service with com.ubisecure.ubilogin.session.manager.ldap.SessionManagerFactoryLDAP as the className.

• cleanupInterval

  • The interval (in seconds) in which an SSO node performs session cleanup.

  • Default: 60

• cleanupLockEnabled

  • If set to true, SSO checks that it is able to obtain a lock before performing session cleanup.

  • If set to false, SSO doesn’t check for a lock before performing session cleanup. Consequently, any value set for cleanupLockCheckWait or cleanupLockTimeout have no effect.

  • Default: false

• cleanupLockCheckWait

  • The time (in seconds) how long an SSO node waits before starting session cleanup to check if it was able to obtain lock successfully. This is to control the race condition of two or more nodes from trying to obtain the lock at same time.

  • Default: 10

• cleanupLockTimeout

  • The time (in seconds) after which a lock can be forcefully released and given to another SSO node. That’s to mitigate the possibility that a lock is left active in case of an unexpected software error by allowing active SSO nodes to obtain a lock even if one already exists, provided that the age of the existing lock is older than the value specified for this parameter.

  • Default: 600

To create or modify the service:

The service must also be linked to the sessionStore/ServerSession for the configuration to be active.

Any of these changes require SSO Server to be restarted.