Instances of the Clean Up Expired PingFederate Persistent Access Grants Plugin use a dedicated background thread within the Directory Server to periodically search for and then delete expired PingFederate OAuth persistent access grants.
It is recommended to configure this plugin to run on multiple servers to ensure that grants are deleted even if one server is offline. Besides being highly-available, this plugin is typically preferred over allowing PingFederate to delete the access grants itself because it avoids bursts in deleting entries, which could impact operation response times for direct client traffic. Refer to the PingFederate documentation for "Manage expired OAuth persistent grants" to disable PingFederate's automatic grant cleanup process.
This plugin exposes an entry under "cn=Purge Expired Data Plugin: {PLUGIN NAME},cn=monitor" with an objectclass of ds-purge-expired-data-plugin-monitor-entry.
The Clean Up Expired PingFederate Persistent Access Grants Plugin component inherits from the Purge Expired Data Plugin
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| enabled | polling-interval |
| base-dn | peer-server-priority-index |
| max-updates-per-second | |
| num-delete-threads |
| Description | Indicates whether the plug-in is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Only entries located within the subtree specified by this base DN are eligible for purging. In servers configured with multiple Local DB Backends and only one backend with data that should be purged, this property can be set to reduce what data is searched. This can make the plugin execute more efficiently, and it reduces the indexing requirements in the other backends. |
| Default Value | Entries in all Local DB Backends are eligible for purging. |
| Allowed Values | A valid DN. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, this value should be set comfortably above the average rate that expired data is generated. When purge-behavior is set to subtree-delete-entries, then deletion of the entire subtree is considered a single update for the purposes of throttling. |
| Default Value | 100 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The number of threads used to delete expired entries. By default, expired entries will be deleted in a single thread, and this is the recommended configuration for most deployments. However, multiple threads may be needed if expired entries accumulate faster than a single thread can delete them. |
| Default Value | 1 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
polling-interval (Advanced Property)
| Description | This specifies how often the plugin should check for expired data. It also controls the offset of peer servers (see the peer-server-priority-index for more information). When the filter property is configured so that only certain entries are purged, then the search to find expired data might be expensive because many entries might match the datetime-attribute (e.g., createTimestamp) portion of the search filter. In this situation, configuring a larger polling interval here can reduce the overall impact on the server. |
| Default Value | 5m |
| Allowed Values | A duration. Lower limit is 1000 milliseconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
peer-server-priority-index (Advanced Property)
| Description | In a replicated environment, this determines the order in which peer servers should attempt to purge data. In replicated environments, this plugin should be configured on multiple servers to provide a highly-available configuration. That is, if one server is offline, then the data will still be purged by another server. However, having multiple servers purging data at the same time leads to increased replication overhead and warnings about missing entries that could not be deleted. To avoid concurrent purging, the plugins will automatically determine their relative order based on their replication server IDs. A server with a higher priority index will wait at least one polling-interval more than a server with a lower priority index before attempting to purge data, giving the other server a chance to delete data first. However, the relative priority of servers can be controlled by setting this property. Setting the value to 1 will cause the instance of this plugin running on the local server to wait one additional polling-interval before attempting to purge data, setting it to 2 will cause it to wait two additional polling-intervals, etc. Unique values should be chosen for all servers, but this is not enforced. |
| Default Value | Peer servers will automatically determine their relative priority. |
| Allowed Values | An integer value. Lower limit is 0. Upper limit is 1000 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins
[--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop
--plugin-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop
--plugin-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Clean Up Expired PingFederate Persistent Access Grants Plugin:
dsconfig create-plugin
--plugin-name {name}
--type {type}
--set enabled:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Plugin:
dsconfig delete-plugin
--plugin-name {name}