Improved LDAP Search Tree for eDirectory 8.8 and IDM 3.5, Part 1



By: mfaris01

April 11, 2007 10:49 am

Reads: 179

Comments:0

Rating:0

Part 1: Creating Multiple eDirectory Trees on a Single SLES Server with eDirectory 8.8.1

Introduction

Many applications use LDAP for authentication against a common Metadirectory. eDirectory is ideal for this purpose, providing a single point for user accounts with most third-party application authentication, thus lowering administrative costs and resources. The problem with LDAP searches against a large, well designed eDirectory tree is latency while the application searches every sub-container searching for a particular user.

I want to acknowledge my co-worker, Farley Russell, for giving me the idea for this article. We were faced with this same problem and came up with a really cool idea.

1. Using the OES Linux (eDirectory 8.8.1) server that hosts our Identity Manager Vault, create another eDirectory instance (tree).

2. Create an eDirectory driver on both “trees” and populate the new tree with just user and group accounts in a single container, thus creating a “flat” tree.

3. Set up account synchronization so when a new user is created/deleted/modified in our primary eDirectory tree, the changes are forwarded to the new tree through Identity Manager.

4. Use the new tree for all applications needing to utilize LDAP for authentication.

Since this is a multi-segmented project, I have broken it down into installments:

  • Part 1: Creating Multiple eDirectory Trees on a Single SLES Server with eDirectory 8.8.1
  • Part 2: Setting up eDirectory to eDirectory Drivers using Identity Manager 3.5

Prerequisites

  • OES (Linux) SP2
  • eDirectory 8.8.1
  • Identity Manager v3.5

Refer to the README for eDirectory 8.8.1 for issues on upgrading:
http://www.novell.com/documentation/edir88/readme/readme.txt

Note: Multiple eDirectory trees on a single host are only available on Linux and Unix.

Procedure

1. Log in to the server command line where you want to create a second tree.

2. Switch to root for this installation.

The eDirectory command-line tools are located in the /opt/novell/eDirectory/bin directory and are not in the path by default.

3. Type the following command to place them in the path for this session:

myoesserv:~ # . /opt/novell/eDirectory/bin/ndspath

Important: Make sure you type a dot+space before the “/”

Now you can type the other commands without typing the full path.

4. Create a directory where you want to store the files associate with your new tree.

myoesserv:~ # mkdir /nds-trees

myoesserv:~ # ndsmanage

	Instances management utility for Novell eDirectory 8.8 SP 1 v2

	The following are the instances configured by root

	[1] /etc/opt/novell/eDirectory/conf/nds.conf : 
	.MYOESSERV.VAULT.IDM_TREE. 	: 192.168.1.4@524 : ACTIVE

	Enter [r] to refresh list, [1] for more options, 
	[c] for creating a new 	instance or [q] to quit: c

5. Type “c” to create.

	You have opted to create a new instance of eDirectory. Ensure 
 that you have all the configuration planned before you 
 proceed further. (Refer to the eDirectory Installation 
 Guide for more information on the configuration.)

	If you choose to continue and if you are unsure of any 
	of the configuration values, please abort and use the 
	ndsconfig utility to create the new instance.

	Do you want to continue?  (y or [n]): y

6. Type “y”.

	Create a new tree ? (y or [n]): y

7. Type “y”.

	Choose a tree name that can be unique in the network.

	TREE NAME: ldap_tree

8. Enter the name of your new tree.

Server name is the representation of this instance's server
	object in the eDirectory tree. [Ex: myoesserv-root-2]

	SERVER NAME: myoesserv

9. Enter the server name.

	Server context is the Fully Distinguished Name (FDN) of the
 container under which the server object resides. 
 [Ex: ou=servers.o=myorg]

	SERVER CONTEXT: o=myorg

10. Enter the context where you want the server object to be placed in the new tree.

	You need the credentials of a user in the tree for
 configuring the server. (Refer to the eDirectory 
 Administration Guide for the effective rights required 
 for such a user). [Ex: cn=admin.ou=users.o=myorg]

	ADMIN USER: cn=admin.o=myorg

11. Enter the admin user FDN for the New tree. This ID will be created during the install.

	NCP Port number to listen on: 1524

Enter the port for NCP (not 524; it’s being used by your first tree).

Tip: I know that I will never have more than 5 trees on a given server, so I place a a number before the traditional port number, i.e., 1524 for the second tree, 2524 for the third, etc.

	Please specify the absolute location for this instance of
 eDirectory. The dib,log files and nds.conf go into 
 this directory. [Ex: /home/root/instance2/]

	Instance location: /nds-trees/ldap_tree/

12. To specify the location of the eDirectory files for this new tree. enter the directory name we created earlier. I used a folder name for the tree so I can go back later and know which tree is stored in which directory.

	Please specify the absolute location and filename of the
 configuration file. [Ex: /home/root/instance2/nds.conf]

	Configuration file: /nds-trees/ldap_tree/conf/nds.conf

13. Enter the path you just referenced only append where you want the configuration file. Make sure you include the name of the file.

	Enter the password for cn=admin.o=myorg:
	Re-enter the password for cn=admin.o=myorg:

14. Give the admin a password.

	Configuring the NDAP interfaces... Done
	Configuring the LDAP interfaces...
	INFO: Port "389" is already in use on "all" network interface(s)
	Please enter a valid LDAP TCP port: 1389

15. Choose a different port for LDAP non-SSL.

	Configuring the LDAP interfaces...
	INFO: Port "636" is already in use on "all" network 
	interface(s)
	Please enter a valid LDAP SSL port: 1636

16. Choose a different port for LDAP SSL.

	Configuring the HTTP interfaces...
	INFO: Port "8028" is already in use on "192.168.1.4" network 
	interface(s)
	Enter a port no. [Range: 1 - 65535]:  18028

	INFO: Port "8030" is already in use on "192.168.1.4" network 
	interface(s)
	Enter a port no. [Range: 1 - 65535]:  18030

ndsmanage will start ndsconfig and create and start your new instance of eDirectory. You can run ndsconfig by itself, but you need most of the info you entered for the command line. I prefer ndsmanage, because there is less of a chance of typos.

17. When it’s complete, type ndsmanage again and see the instances listed and their status:

	Instances management utility for Novell eDirectory 8.8 SP 1 v2

	The following are the instances configured by root

	[1] /etc/opt/novell/eDirectory/conf/nds.conf : 
	.MYOESSERV.VAULT.IDM_TREE. 	: 192.168.1.4@524 : ACTIVE

	[2] /nds-trees/ldap_tree/conf/nds.conf : 
	.MYOESSERV.MYORG.LDAP_TREE. : 	192.168.1.4@1524 : ACTIVE

	Enter [r] to refresh list, [1 - 2] for more options, 
	[c] for creating a new 	instance or [q] to quit: 2

18. From this point, choose either 1 or 2, and this presents a new menu:

	Instance at  /nds-trees/ldap_tree/conf/nds.conf :

	[l] List the replicas on the server
	[s] Start the instance
	[k] Stop the instance
	[t] Run ndstrace
	[d] Deconfigure
	[b] Back to previous menu
	[q] Quit

	What do you want to do with this instance? [ Choose from above]:

If you choose any of these options, remember that they only apply to that instance or tree. If you stop eDirectory, the other tree remains functional!

Checking iManager.

1. Open a browser and enter the url for iManager on that server, i.e., http://myoesserv.mydomain.com/nps/iManager

Figure 1 – Opening iManager

Important: In the Tree field, enter the name of the server or the IP and make sure you put a colon and the NCP port you specified for the new tree (such as “:1524″).

Figure 2 – Accessing the tree

You still need to configure you RBS Collection for this tree so the objects get created properly – remember that you’re working with more than one tree on this server. And if you’re from the NetWare kernel world, like me, it takes a little getting used to.

The Part 2 article will explain how to use this new tree with IDM and then LDAP.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: eDirectory, Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment