Session size garbage after an AD query, can I remove them?

Question

Hello community,I'm using our BigIP as an IDP and we have about 20 federations to date. They all share the same VP and iRule.One of the federations need to know, if somebody logs in and they are a manager, how many employees do they have.I have found that this generate&nbsp;a lot of session variables, and I worry that I will exhaust the cache.So I wonder if there is any way to discard these session variables or mark them as garbage or&nbsp;something, because while it might be okay with these leftovers for managers with five employees, it's not okay for managers with five hundred!I'm curious if there is any way to discard these variables to exclude from the session?This is what I do:I use the following LDAP filter to get all enabled users that has them in the manager attribute:(&amp;(manager=CN=%{session.logon.last.username},OU=Users,OU=Organization,DC=Corp,DC=net)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))The filter works fine.To not make the query too expensive, I tried limiting the query to only the "c" attribute (country), which contains two letters only. However, dn is included and I can't change that, so I removed the "c" attribute.This generates session output like this:9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn CN=Tobias Anderson,OU=Users,OU=Organization,DC=Corp,DC=net9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.1 CN=Philippe Hudson,OU=Users,OU=Organization,DC=Corp,DC=net9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.2 CN=Jonas Gabriel,OU=Users,OU=Organization,DC=Corp,DC=net9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.3 CN=Ted Miles,OU=Users,OU=Organization,DC=Corp,DC=net9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.4 CN=Lars Hedin,OU=Users,OU=Organization,DC=Corp,DC=net9543782a.session.ad./Common/ad_query_employees_act_active_directory_query_ag.attr.dn.5 CN=Tomas Jeffrey,OU=Users,OU=Organization,DC=Corp,DC=net...Now, I only care about how many employees they have, not who they are.As it stands now, we'll be populating a custom attribute in AD with this information instead, but I'm curious because we might end up with similar applications in the near future that may produce unwanted variables.Surely there must be some garbage collection functions or unset functions to tidy up our sessions?How would you guys implement this?Any ideas?

momahdy · Answer

Hi Samuel, I think the easiest option would be to have it populated in AD and use query to get the AD variable. There's a way to unset session variables, but it may require a lot of customization to match your case, discussed here https://community.f5.com/t5/technical-forum/how-to-delete-apm-session-variable-from-another-session/m-p/250353
&nbsp;

Forum Discussion

Session size garbage after an AD query, can I remove them?

1 Reply

Recent Discussions

RECOVER ALL YOUR LOST CRYPTOCURRENCY WITH THE HELP OF CAPTAIN WEBGENESIS.

security patch release

VPN fragmented IP packets dropped

minimum tmos software version for connect CIS (openshift)

redirect not working

Related Content

Pool downtime query

iRule Processing query

iRuleLX Solution for OAUTH JWT authenticated Salesforce Query

BIG IP DNS - Queries Per Second

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two