Hi Aditi,
This setting will not impact idle/max session timeout on SiteMinder.
Ok, let's go back a little bit into the internals.
User Store
The Policy Server creates three connections to a given LDAP directory: Ping, User and Search. Each connection is independent of the others.
- The 'ping' thread runs periodically, and issues a command via its LDAP directory connection to test for connectivity.
- The 'bind' (or 'user') connection performs the authentication requests.
- The 'select' (or 'search') connection performs LDAP searches and other long running commands.
Connection | Purpose | When created |
Ping | Check availability of servers | For each server in a fail-over group upon first request |
User | User authentication | When either there is no user connection to a selected server from the current fail-over group or the current user connection had to be re-initialized |
Search | Searches and updates | When either there is no user connection to a selected server from the current fail-over group or the current user connection had to be re-initialized |
When there is no activity on either user or search connections, the connections may timeout. Such
timeouts, also called idle timeouts, may happen for several reasons such as:
- The LDAP server has the idle timeout option configured. In this case the server will close all
connections that haven’t been active for the duration of the timeout. ( this is is the issue we are trying to address here by setting the idle time out setting on CA Directory side)
- There is a state-full firewall between the policy server and the LDAP server.
Due to periodic activity on a ping connection, a ping connection will not timeout (assuming that the
idle timeout is less than 30 seconds). The next request will go against the user and search connections
that have been timed-out. The request will return with a network error causing re-initialization of the
connections
Session Store
In case of session store, a connection pool is maintained, When ever needed, worker thread will grab a connection from this pool and make necessary change in the session store.
For the same reason as user store, these connection could also idle out and the same idle time out configuration on the LDAP side will help avoiding these condition as well.
Please let me know if you have any further questions.
Cheers,
Ujwol