CA directory session store LDAP query explanation

book

Article ID: 222587

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

What are the meanings of following entries from CA directory server log?

[8] 20210823.224957.119 DIAG : SEARCH dn="ou=smsessiondb,o=ca" scope=one-level eis=4 filter=(&(objectClass=smSession)(&(smExpirationTime<=20210824024956Z)(!(smSessionStatus=66))(!(smSessionStatus=65)))) user="cn=admin,o=ca" Size limit exceeded

[28] 20210823.225004.936 DIAG : SEARCH dn="ou=smsessiondb,o=ca" scope=one-level eis=1 filter=(&(objectClass=smSession)(smSessionStatus=65)) user="cn=admin,o=ca" Size limit exceeded

Cause

These are the possibilities:

Sm_SS_Closed_No      = 0           // Session is still active
Sm_SS_Closed_Unknown = 16   // We don't know reason. May be already removed from DB or never was there
Sm_SS_Closed_Logout  = 64   // User logged out
Sm_SS_Closed_Expired = 65   // Session been expired
Sm_SS_Closed_IdleOut = 66   // Session been idle time out
Sm_SS_Closed_Revoked = 67   // Session been revoked
Sm_SS_Closed_Disabled= 68   // Admin disabled user account

 

Environment

Release : 12.8.03

Component : SITEMINDER -POLICY SERVER

Resolution

Between 20210823.224957 to 20210824.024956 is exactly 4 hours.

The first search by policy server:

  • Search for expired/idled sessions that are not already marked for deletion as expired (smSessionStatus=65) or idled (smSessionStatus=66).
  • Modify each session entry's smSessionStatus in results.

The second search: policy server tries to find any session that is already expired. Next, attempts to remove them.

"Size limit exceeded" because there is "max-op-size = 10000" set on DSA side configuration, and the number of entries returned from session store has exceeded that limit.

Please be aware that prior policy server version 12.52 SP1 CR05,  policy server maintains the session store with the above two-pass process.

That is why you will see search like filter=(&(objectClass=smSession)(&(smExpirationTime<=20210824024956Z)(!(smSessionStatus=66))(!(smSessionStatus=65)))) success 10000 entries

The old algorithm can potentially cause session store size grows exponentially and session deletes are not in sync with the rate of new sessions added to the session store.

Disable session store maintenance on any Policy Servers before version 12.52 SP1 CR5 (EOL February 28, 2019 ), as they are deficient at times in session clean up performance.

Set MaintenancePeriod=0 under the HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\SessionServer registry key.

However, customer should still keep session store maintenance enabled for newer policy server.

Newer version policy server maintain the session store with the following improved process.

  • Search for expired/idle sessions using an LDAP search control that limits the number of returned entries (100).
  • Remove the expired/idle sessions using an LDAP remove control that removes an entire subtree to remove the session and associates session variables/metadata subentries.
  • Perform the above steps to search for expired sessions, idle sessions, and expired session variables

LDAP search examples:

filter=(&(objectClass=smSession)(smExpirationTime<=20210817144103Z)) success 100 entries 

filter=(&(objectClass=smSession)(smIdleExpirationTime<=20210817144103Z)) success 100 entries