PingDirectory

Working with the Purge Expired Data plugin

Use the Purge Expired Data plugin to delete expired entries or attribute values and cleanup expired PingFederate Persistent Access Grants.

When the plugin is enabled, a background thread in the plugin periodically searches for and purges expired data. For optimal performance, enable the Purge Expired Data plugin on multiple servers in a topology. For example, you can configure one server to delete data while others are searching for expired data.

Create and configure the Purge Expired Data plugin with the dsconfig tool. Configuration options include the base distinguished name (DN) and filter, the items to be purged, how to identify expired data, and the frequency for polling and purging. You must index the search for expired data. An alarm is raised if the server purging data falls behind the configured max-updates-per-second. Monitoring information is available in the Admin Console, or cn=monitor.

Configuring the Purge Expired Data plugin for expired entries

About this task

Use the Purge Expired Data plugin to delete all unverified account entries that have not been accessed in the past eight weeks. The is useful for the following scenarios:

  • Accounts that potential customers started to create through an application’s registration process but then did not complete.

  • The phone number or email address that was provided during registration was not verified and should be allowed to be used by another account.

Steps

  1. If necessary, enable the Last Access Time plugin:

    The server can track the last access time automatically in the ds-last-access-time attribute by enabling the Last Access Time plugin.

    Example:

    $ bin/dsconfig set-plugin-prop \
  --plugin-name "Last Access Time" \
  --set enabled:true

  2. To determine expiration order, create an index on the date attribute.

    The Purge Expired Data plugin requires the date attribute that is used to determine expiration to be indexed for ordering.

    Example:

    $ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name ds-last-access-time \
  --set index-type:ordering

  3. If there is data present in the directory, rebuild the index.

    Example:

    $ bin/rebuild-index \
  --baseDN dc=example,dc=com \
  --index ds-last-access-time

  4. Create the plugin that purges account entries objectclass=account that are not verified.

    Example:

    The following example purges account entries verified=false after eight weeks of inactivity.

    $ bin/dsconfig create-plugin \
  --plugin-name "Purge Old Unvalidated Accounts" \
  --type purge-expired-data \
  --set enabled:true \
  --set datetime-attribute:ds-last-access-time \
  --set "expiration-offset:8 w" \
  --set "filter:(&(objectClass=account)(verified=false))"

Configuring the Purge Expired Data plugin for expired attribute values

About this task

Use the Purge Expired Data plugin to delete values of an attribute that have expired. For example, an application can track information about an employee’s session and then expire the session after 24 hours. There can be multiple active sessions tracked across different devices with session information as shown in the following example.

In this example, the LDAP attribute is sessioninfo and the JSON field that stores the timestamp is creationTime. These are used to configure the Purge Expired Data plugin.

sessionInfo: { “sessionId” : “E85FAC04E331FFCA55549B10B7C7A4FA”,
"ipAddress": "10.0.0.00", "userAgent": "Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us)
AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B367 Safari/531.21.10",
“creationTime” : “2018-03-31T13:10:15Z” }

Create the plugin to purge the JSON attribute values after 24 hours, rather than the entire session entry.

Steps

  1. Create an index on the creationTime field of the sessioninfo attribute.

    Example:

    $ bin/dsconfig create-json-attribute-constraints \
  --attribute-type sessioninfo \
  --set enabled:true

    Example:

    $ bin/dsconfig create-json-field-constraints \
  --attribute-type sessioninfo \
  --json-field creationTime \
  --set index-values:true \
  --set value-type:string

  2. Create and enable the plugin.

    Example:

    $ bin/dsconfig create-plugin \
  --plugin-name "Purge Old Session Data Plugin" \
  --type purge-expired-data \
  --set enabled:true \
  --set "custom-datetime-format:yyyy-MM-dd'T'HH:mm:ss'Z'" \
  --set datetime-attribute:sessioninfo \
  --set datetime-format:custom \
  --set datetime-json-field:creationTime \
  --set "expiration-offset:1 d" \
  --set purge-behavior:delete-json-attribute-values