Forum Discussion

Samuel_Rydén's avatar
Samuel_Rydén
Icon for Altocumulus rankAltocumulus
Aug 21, 2023

Session size garbage after an AD query, can I remove them?

Hello community,

I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule.
One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have.
I have found that this generate a lot of session variables, and I worry that I will exhaust the cache.
So I wonder if there is any way to discard these session variables or mark them as garbage or something, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred!
I'm curious if there is any way to discard these variables to exclude from the session?

This is what I do:
I use the following LDAP filter to get all enabled users that has them in the manager attribute:

(&(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))


The filter works fine.
To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute.

This generates session output like this:
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net
9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net
...

Now, I only care about how many employees they have, not who they are.
As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables.
Surely there must be some garbage collection functions or unset functions to tidy up our sessions?

How would you guys implement this?
Any ideas?