Siteminder Fails to clean up expired sessions from session store with the following Error observed in CA dir Query logs

Failing 
[4] 20210219.031105.577 2.1012254797 REMOVE dn="smSessionId="RriOqOEzR9avuG4mXIKl6HHMR1o=",o=sessionstoredsa,c=us" controls="^tree-delete" (TLSv1.2) source="dsp[router-xxxxxxxxxxxxx]"
[4] 20210219.031105.578 2.1012254797 RESULT error update 3 notAllowedOnNonLeaf(66) 

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

- To delete a sub tree in the ldap tree, siteminer sends the control id: 1.2.840.113556.1.4.805 to Direcotry to delete the sub tree.

so control id:1.2.840.113556.1.4.805 is a keyword used by the siteminder to delete the sub tree.

- This control id 1.2.840.113556.1.4.805 will the converted to controls=tree-delete at the directory side, and then query becomes

[2] 20210224.123244.354 16.130 REMOVE dn="smSessionId="F9kBPmQr1WfLcCrgDFfB7iYqjz4=",o=sessionstoredsa,c=us" source="client" controls="tree-delete"

- Below couple of examples 

set excluded-controls = tree-delete;

The set excluded-controls command prevents LDAP controls from being used. If CA dir received the tree-delete then this setting ignore the tree-delete by applying (^tree-delete)

When the query log is enabled with the LDAP controls advanced option, excluded controls are still displayed. The control name is prefixed with the ‘^’ character to indicate that it has been ignored.

*** use case 1

if siteminder did not sent the control id: 1.2.840.113556.1.4.805  then controls=tree-delete is Not added to the logs.

ca dir Frames query like below:

[2] 20210224.123244.354 16.130 REMOVE dn="smSessionId="F9kBPmQr1WfLcCrgDFfB7iYqjz4=",o=sessionstoredsa,c=us" source="client"

*** use case 2

if siteminder sends the control id: 1.2.840.113556.1.4.805 then the controls=tree-delete will be appened to the logs, provided Not set excluded-controls = tree-delete

ca dir Frames query like below:

[2] 20210224.123244.354 16.130 REMOVE dn="smSessionId="F9kBPmQr1WfLcCrgDFfB7iYqjz4=",o=sessionstoredsa,c=us" source="client" controls="tree-delete"

*** use case 3

if siteminder sends the control id: 1.2.840.113556.1.4.805 then the controls="^tree-delete" will be appened to the logs, provided config had set excluded-controls = tree-delete

[4] 20210219.031105.577 2.1012254797 REMOVE dn="smSessionId="RriOqOEzR9avuG4mXIKl6HHMR1o=",o=sessionstoredsa,c=us" controls="^tree-delete" (TLSv1.2) source="dsp[router-lxisddirqas006]"

Reason:

NOTE That  tree-delete(controls="^tree-delete") is appended Because of below config variable is set which instructs the Dir to NOT delete the tree 

set excluded-controls = tree-delete

so tree will not be deleted and returns the failure.

Default (out of the box), most of the LDAP controls (e.g. vlv, spr, sss, tree-delete etc.) are supported.

See:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/connecting-to-directory-using-ldap/ldap-controls.html

The  "set excluded-controls = tree-delete"  is optional

The parameter in question is designed NOT TO delete the entire DIT (Directory Information Tree) branch, if setup that way but again... if an application is required to delete the entire DIT (including leaf entries), this 'excluded-controls' should not be set.