What are the meanings of following entries from CA directory server log?
 20210823.224957.119 DIAG : SEARCH dn="ou=smsessiondb,o=ca" scope=one-level eis=4 filter=(&(objectClass=smSession)(&(smExpirationTime<=20210824024956Z)(!(smSessionStatus=66))(!(smSessionStatus=65)))) user="cn=admin,o=ca" Size limit exceeded
 20210823.225004.936 DIAG : SEARCH dn="ou=smsessiondb,o=ca" scope=one-level eis=1 filter=(&(objectClass=smSession)(smSessionStatus=65)) user="cn=admin,o=ca" Size limit exceeded
These are the possibilities:
Sm_SS_Closed_No = 0 // Session is still active
Sm_SS_Closed_Unknown = 16 // We don't know reason. May be already removed from DB or never was there
Sm_SS_Closed_Logout = 64 // User logged out
Sm_SS_Closed_Expired = 65 // Session been expired
Sm_SS_Closed_IdleOut = 66 // Session been idle time out
Sm_SS_Closed_Revoked = 67 // Session been revoked
Sm_SS_Closed_Disabled= 68 // Admin disabled user account
Release : 12.8.03
Component : SITEMINDER -POLICY SERVER
Between 20210823.224957 to 20210824.024956 is exactly 4 hours.
The first search by policy server:
The second search: policy server tries to find any session that is already expired. Next, attempts to remove them.
"Size limit exceeded" because there is "max-op-size = 10000" set on DSA side configuration, and the number of entries returned from session store has exceeded that limit.
Please be aware that prior policy server version 12.52 SP1 CR05, policy server maintains the session store with the above two-pass process.
That is why you will see search like filter=(&(objectClass=smSession)(&(smExpirationTime<=20210824024956Z)(!(smSessionStatus=66))(!(smSessionStatus=65)))) success 10000 entries
The old algorithm can potentially cause session store size grows exponentially and session deletes are not in sync with the rate of new sessions added to the session store.
Disable session store maintenance on any Policy Servers before version 12.52 SP1 CR5 (EOL February 28, 2019 ), as they are deficient at times in session clean up performance.
Set MaintenancePeriod=0 under the HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer registry key.
However, customer should still keep session store maintenance enabled for newer policy server.
Newer version policy server maintain the session store with the following improved process.
LDAP search examples:
filter=(&(objectClass=smSession)(smExpirationTime<=20210817144103Z)) success 100 entries
filter=(&(objectClass=smSession)(smIdleExpirationTime<=20210817144103Z)) success 100 entries