Clean Up Expired PingFederate Persistent Sessions Plugin

Instances of the Clean Up Expired PingFederate Persistent Sessions Plugin use a dedicated background thread within the Directory Server to periodically search for and then delete expired PingFederate persistent session data. A similar plugin, Clean Up Inactive PingFederate Persistent Sessions Plugin, can be created to delete persistent sessions that have been inactive for a long time.

To allow efficient searches for expired sessions, a Local DB Index must be created with an index-type of 'ordering' for the pf-authn-session-group-expiry-time attribute. Alternatively, a Local DB Composite Index can be created with an index-filter-pattern of '(pf-authn-session-group-expiry-time=?)'.

It is recommended to configure this plugin to run on multiple servers to ensure that expired sessions are deleted even if one server is offline.

This plugin exposes an entry under "cn=Purge Expired Data Plugin: {PLUGIN NAME},cn=monitor" with an objectclass of ds-purge-expired-data-plugin-monitor-entry.

Parent Component Properties dsconfig Usage

Parent Component

The Clean Up Expired PingFederate Persistent Sessions Plugin component inherits from the Purge Expired Data Plugin

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 enabled  polling-interval
 base-dn  peer-server-priority-index
 max-updates-per-second
 num-delete-threads

Basic Properties

enabled

Description
Indicates whether the plug-in is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

base-dn

Description
Only entries located within the subtree specified by this base DN are eligible for purging. In servers configured with multiple Local DB Backends and only one backend with data that should be purged, this property can be set to reduce what data is searched. This can make the plugin execute more efficiently, and it reduces the indexing requirements in the other backends.
Default Value
Entries in all Local DB Backends are eligible for purging.
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

max-updates-per-second

Description
This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, this value should be set comfortably above the average rate that expired data is generated. When purge-behavior is set to subtree-delete-entries, then deletion of the entire subtree is considered a single update for the purposes of throttling.
Default Value
100
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

num-delete-threads

Description
The number of threads used to delete expired entries. By default, expired entries will be deleted in a single thread, and this is the recommended configuration for most deployments. However, multiple threads may be needed if expired entries accumulate faster than a single thread can delete them.
Default Value
1
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


Advanced Properties

polling-interval (Advanced Property)

Description
This specifies how often the plugin should check for expired data. It also controls the offset of peer servers (see the peer-server-priority-index for more information). When the filter property is configured so that only certain entries are purged, then the search to find expired data might be expensive because many entries might match the datetime-attribute (e.g., createTimestamp) portion of the search filter. In this situation, configuring a larger polling interval here can reduce the overall impact on the server.
Default Value
5m
Allowed Values
A duration. Lower limit is 1000 milliseconds.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

peer-server-priority-index (Advanced Property)

Description
In a replicated environment, this determines the order in which peer servers should attempt to purge data. In replicated environments, this plugin should be configured on multiple servers to provide a highly-available configuration. That is, if one server is offline, then the data will still be purged by another server. However, having multiple servers purging data at the same time leads to increased replication overhead and warnings about missing entries that could not be deleted.

To avoid concurrent purging, the plugins will automatically determine their relative order based on their replication server IDs. A server with a higher priority index will wait at least one polling-interval more than a server with a lower priority index before attempting to purge data, giving the other server a chance to delete data first. However, the relative priority of servers can be controlled by setting this property. Setting the value to 1 will cause the instance of this plugin running on the local server to wait one additional polling-interval before attempting to purge data, setting it to 2 will cause it to wait two additional polling-intervals, etc. Unique values should be chosen for all servers, but this is not enforced.

Default Value
Peer servers will automatically determine their relative priority.
Allowed Values
An integer value. Lower limit is 0. Upper limit is 1000 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Clean Up Expired PingFederate Persistent Sessions Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type {type}
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}