Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 79

This option must be enabled if you use this user store as a Novell SecretStore User Store
Reference in the Credential Profile details. (See
Security and Display Settings," on page
SecretStore User Store Reference, this option is enabled but not editable.
Connection limit: The maximum number of pooled simultaneous connections allowed to the
LDAP server. Valid values are between 5 and 100.
6 Click Auto import trusted root.
7 Click OK to confirm the import.
8 Select one of the certificates in the list.
You are prompted to choose either a server certificate or a root CA certificate. To trust one
certificate, choose Server Certificate. Choose Root CA Certificate to trust any certificate signed
by that certificate authority.
9 Specify an alias, then click OK.
10 Click OK in the Specify server replica information dialog box.
11 Select the replica, then click Validate to test the connection between the Identity Server and the
replica.
The system displays the result under Validation Status. The system displays a green check
mark if the connection is valid.
12 (Optional) To add additional replicas for the same user store, repeat
Adding multiple replicas adds load balancing and failover to the user store. Replicas must be
exact copies of each other.
For load balancing, a hash algorithm is used to map a user to a replica. All requests on behalf of
that user are sent to that replica. Users are moved from their replica to another replica only
when their replica is no longer available.
13 Add a search context.
The search context is used to locate users in the directory when a contract is executed.
If a user exists outside of the specified search context (object, subtree, one level), the
Identity Server cannot find the user, and the user cannot log in.
If the search context is too broad, the Identity Server might find more than one match, in
which case the contract fails, and the user cannot log in.
For example, if you allow users to have the same username and these users exist in the
specified search context, these users cannot log in if you are using a simple username and
password contract. The search for users matching this contract would return more than one
match. In this case, you need to create a contract that specifies additional attributes so that the
search returns only one match. For more information on how to create such contracts, see
Section 12.3.1, "Authentication Classes and Duplicate Common Names," on page
IMPORTANT: For Active Directory, do not set the search context at the root level by using
the Subtree scope. This setting can cause serious performance problems. It is recommended
that you set multiple search contexts, one for each top-level organizational unit.
14 Click Finish.
15 If prompted to restart Tomcat, click OK. Otherwise, update the Identity Server.
16 (Conditional) If you have modified the Identity Server's certificate, restart the Embedded
Service Provider of any device that has been configured to use this configuration.
Section 10.4, "Configuring Credential Profile
226.) If you have specified that this user store is a
Step 5 through Step 11.
284.
Configuring Local Authentication 79