When you deploy the Distributed Authentication UI server using the default application user, performance drops significantly due to the default application user's restricted privileges.
Workaround: Create a new user with appropriate privileges.
To create a new user with the proper ACIs:
In the Access Manager console, create a new user. For example, create a user named AuthUIuser.
In Directory Server console , add the following ACI.
dn:ou=1.0,ou=SunAMClientData,ou=ClientData,<ROOT_SUFFIX> changetype:modifyadd:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,<ROOT_SUFFIX>") (targetattr = "*"(version 3.0; acl "SunAM client data anonymous access"; allow (read, search, compare) userdn = "ldap:///<AuthUIuser's DN>";)
Notice that the userdn is set to "ldap:///<AuthUIuser's DN>".
See the instructions in the To Install and Configure a Distributed Authentication UI Server in Sun Java System Access Manager 7.1 Postinstallation Guide for editing the amsilent file, and for running the amadmin command.
In the amsilentfile, set the following properties:
Enter a password for AuthUIuser.
Save the file.
Run the amconfig script using the new configuration file. For example, on a Solaris system with Access Manager installed in the default directory:
# cd /opt/SUNWam/bin
# ./amconfig -s ./DistAuth_config
Restart the web container on the Distributed Authentication UI server.
After installation with Access Manager in legacy mode, the default configuration for the Statistics Service has changed:
The service is turned on by default (com.iplanet.services.stats.state=file). Previously, it was off.
The default interval (com.iplanet.am.stats.interval) has changed from 3600 to 60.
The default stats directory (com.iplanet.services.stats.directory) has changed from /var/opt/SUNWam/debug to /var/opt/SUNWam/stats.
After you install Access Manager, login as amadmin and add the o, sunPreferredDomain, associatedDomain, sunOrganizationAlias, uid, and mail attributes to the Unique Attribute List. If you create two new organizations with the same name, the operation fails, but Access Manager displays the “organization already exists” message rather than the expected “attribute uniqueness violated” message.
Workaround: None. Ignore the incorrect message. Access Manager is functioning correctly.