Authentication Issues

• Distributed Authentication UI server performance drops when application user has insufficient privileges (6470055)

• Incompatibility for Access Manager default configuration of Statistics Service for legacy (compatible) mode (6286628)

• Attribute uniqueness broken in the top-level organization for naming attributes (6204537)

Distributed Authentication UI server performance drops when application user has insufficient privileges (6470055)

When you deploy the Distributed Authentication UI server using the default application user, performance drops significantly due to the default application user's restricted privileges.

Workaround: Create a new user with appropriate privileges.

To create a new user with the proper ACIs:

1. In the Access Manager console, create a new user. For example, create a user named AuthUIuser.

2. In Directory Server console , add the following ACI.

   dn:ou=1.0,ou=SunAMClientData,ou=ClientData,<ROOT_SUFFIX> changetype:modifyadd:aci aci: (target="ldap:///ou=1.0,ou=SunAMClientData,ou=ClientData,<ROOT_SUFFIX>") (targetattr = "*"(version 3.0; acl "SunAM client data anonymous access"; allow (read, search, compare) userdn = "ldap:///<AuthUIuser's DN>";)

   Notice that the userdn is set to "ldap:///<AuthUIuser's DN>".

3. See the instructions in the To Install and Configure a Distributed Authentication UI Server in Sun Java System Access Manager 7.1 Postinstallation Guide for editing the amsilent file, and for running the amadmin command.

4. In the amsilentfile, set the following properties:

   APPLICATION_USER

   Enter AuthUIuser.

   APPLICATION_PASSWD

   Enter a password for AuthUIuser.

5. Save the file.

6. Run the amconfig script using the new configuration file. For example, on a Solaris system with Access Manager installed in the default directory:

   # cd /opt/SUNWam/bin

   # ./amconfig -s ./DistAuth_config

7. Restart the web container on the Distributed Authentication UI server.

Incompatibility for Access Manager default configuration of Statistics Service for legacy (compatible) mode (6286628)

After installation with Access Manager in legacy mode, the default configuration for the Statistics Service has changed:

• The service is turned on by default (com.iplanet.services.stats.state=file). Previously, it was off.

• The default interval (com.iplanet.am.stats.interval) has changed from 3600 to 60.

• The default stats directory (com.iplanet.services.stats.directory) has changed from /var/opt/SUNWam/debug to /var/opt/SUNWam/stats.

Workaround: None.

Attribute uniqueness broken in the top-level organization for naming attributes (6204537)

After you install Access Manager, login as amadmin and add the o, sunPreferredDomain, associatedDomain, sunOrganizationAlias, uid, and mail attributes to the Unique Attribute List. If you create two new organizations with the same name, the operation fails, but Access Manager displays the “organization already exists” message rather than the expected “attribute uniqueness violated” message.

Workaround: None. Ignore the incorrect message. Access Manager is functioning correctly.