Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

ProcedureTo Configure the User Data Stores

  1. Delete the default data store.

    1. In the sub-realm users Authentication page, click the Data Stores tab.

    2. In the sub-realm users Data Stores page, mark the checkbox for amSDK1, the default data store.

    3. Click Delete.

  2. Create a new data store.

    1. Click New .

    2. In the “Step 1 of 2: Select Type of Data Store” page, set the following attributes:


      Enter usersLDAP.


      Choose “LDAPv3 Repository Plug-In.”

    3. Click Next.

    4. In the “Step 2 of 2: New Data Store” page, set the following attributes:

      Primary LDAP Server
      1. In the Add field, enter the hostname and port number for the existing directory. Use the form

      2. Select the default , and then click Remove.

      LDAP Bind DN

      Enter uid=userdbadmin,ou=users,dc=company,dc=com .

      Password for Root User Bind


      Password for Root User Bind (confirm)


      LDAP Organization DN

      Enter dc=company,dc=com.

      LDAP People Container Value


      When this field is empty, the search for users will start from the root suffix.

      Persistent Search Base DN

      Enter dc=company,dc=com.

      These values were imported into the user data store in a previous task. See To Import Users into the User Data Store.

    5. Click Finish and log out of the Access Manager console.

  3. Restart each Access Manager server for the changes to take place.

    Log in to each Access Manager host system, and restart the Web Server on each host system.

  4. Verify that in the Access Manager console you can see the users in the external user data store.

    1. Go to the Access Manager URL.

    2. Log in to the Access Manager console using the following information:





    3. Click on Users Realm.

    4. Click on Subjects tab.

      You should see three new users: authuiadmin, userdbadmin, and userdbauthadmin.

  5. Verify that a user can successfully authenticate against the new realm.

    1. Start a new browser session and log in to Access Manager.

      Go to the following URL:

      The parameter realm=users specifies the new realm to use for authentication. Without the parameter, the default realm is used.

    2. On the login page, provide a user login and password from the existing directory.

      User Name:




      You should be able to log in successfully.

      If the login is not successful, watch the existing Directory Server access log to troubleshoot the problem.

    At this point, a user can log in against the existing Directory Server if he invokes the realm=users parameter. If such a parameter is absent, the default realm is used.

    Administrators who want to access the Access Manager console should log in to the default realm.