Session Idle Timeout
By gc on Aug 28, 2009
When using Access Manager, people expects to set different session idle timeout or max session time for different orgs/groups/roles. This can be easily configured with older AM versions, 6.x or even older 5.x. But it is tricky to do so with the newer version 7.x. Lots of people noticed that the changes they made to the role level didn't take any effect even after restarting both AM and DS.
The 7.x public doc mentioned a bug 6309262 (doc'd in 7.0 RN http://docs.sun.com/app/docs/doc/819-2134/gazwg?l=en&a=view&q=6309262). Customer has to set the cosPriority by using legacy console. If customer's AM was configured in realm mode, then they would have to modify DS directly using ldapmodify or DS console. Actually this is not very accurate.
Here are the steps need to be performed:
0) You should had done this already if you run into this problem. On the AM console, create a role then click on "services" tab and then click "add". In the list of services that come up, choose "session". On the next page, choose the desired values for Maximum Session Time, Maximum Idle Time etc., and click "finish".
1) Go to a user's profile who belongs to the above mentioned role, click on "services" tab, then click "add" and choose "session" and then click "finish" on the next page. This step is not mentioned in any docs.
Alternatively, you can run ldapmodify to add objectclass iplanet-am-session-service to the users in the role.
2) Modify the cosPriority of realm level to a number larger than 0 so that the Directory Server does not choose the realm level setting over the setting of the role within the realm. The doc for bug 6309262 asks to change the role level. Actually it is already set to the highest value 0.
The entry dn you need to touch is something like (suppose the root dn is dc=com): cn="cn=ContainerDefaultTemplateRole,dc=com",cn=iPlanetAMSessionService,dc=com
3) Stop and restart the DS and AM.