Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual page 108

Connection limit: The maximum number of pooled simultaneous connections allowed to the
replica. Valid values are between 5 and 100. How many you need depends upon the speed of
your LDAP servers. If you modify the default value, monitor the change in performance.
Larger numbers do not necessarily increase performance.
6 Click Auto import trusted root.
7 Click OK to confirm the import.
8 Select one of the certificates in the list.
You are prompted to choose either a server certificate or a root CA certificate. To trust one
certificate, choose Server Certificate. Choose Root CA Certificate to trust any certificate signed
by that certificate authority.
9 Specify an alias, then click OK.
10 Click OK in the Specify server replica information dialog box.
11 Select the replica, then click Validate to test the connection between the Identity Server and the
replica.
The system displays the result under Validation Status. The system displays a green check mark
if the connection is valid.
12 (Optional) To add additional replicas for the same user store, repeat
Adding multiple replicas adds load balancing and failover to the user store. Replicas must be
exact copies of each other.
For load balancing, a hash algorithm is used to map a user to a replica. All requests on behalf of
that user are sent to that replica. Users are moved from their replica to another replica only
when their replica is no longer available.
13 Add a search context.
The search context is used to locate users in the directory when a contract is executed.
 If a user exists outside of the specified search context (object, subtree, one level), the
Identity Server cannot find the user, and the user cannot log in.
 If the search context is too broad, the Identity Server might find more than one match, in
which case the contract fails, and the user cannot log in.
For example, if you allow users to have the same username and these users exist in the
specified search context, these users cannot log in if you are using a simple username and
password contract. The search for users matching this contract would return more than one
match. In this case, you need to create a contract that specifies additional attributes so that the
search returns only one match. For more information on how to create such contracts, see
Section 15.3.1, "Authentication Classes and Duplicate Common Names," on page
IMPORTANT: For Active Directory, do not set the search context at the root level and set the
scope to Subtree. This setting can cause serious performance problems. It is recommended that
you set multiple search contexts, one for each top-level organizational unit.
14 Click Finish.
15 If prompted to restart Tomcat, click OK. Otherwise, update the Identity Server.
108 Novell Access Manager 3.1 SP2 Identity Server Guide
Step 5 through Step 11.
357.