When you deploy a Distributed Authentication UI server using the default application user, performance can drop significantly due to the default application user's restricted privileges in Directory Server.
In the Access Manager console, create a new user. For example: DistAuthUIuser.
In Directory Server, add the DistAuthUIuser user with a new ACI to allow reading, searching, and comparing user attributes. An example of this new ACI is:
dn:ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com changetype:modifyadd:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,dc=example,dc=com") (targetattr = "*"(version 3.0; acl "SunAM client data access for application user"; allow (read, search, compare) userdn = "ldap:///uid=DistAuthUIuser,ou=people,dc=example,dc=com";)
On the Distributed Authentication UI server, set the following variables in the configuration file:
APPLICATION_USER=DistAuthUIuser APPLICATION_PASSWD=DistAuthUIuser-password
On Solaris and Linux systems, the configuration file is based on the amsamplesilent file and is named DistAuth_config in the next step. Set any other variables in the DistAuth_config file, as required for your deployment.
On Windows systems, use the AMConfigurator.properties file to create a new configuration file. For example: AMConfigurator-distauth.properties.
Run the amconfig script using the edited configuration file.
For example, on a Solaris system with Access Manager installed in the default directory:
# cd /opt/SUNWam/bin # ./amconfig -s ./DistAuth_config
On Windows systems, in the amconfig.bat file, change AMConfigurator.properties to AMConfigurator-distauth.properties, and then run the edited amconfig.bat file.
Restart the web container on the Distributed Authentication UI server.