Many applications use LDAP for authentication against a common Metadirectory. eDirectory is ideal for this purpose, providing a single point for user accounts with most third-party application authentication, thus lowering administrative costs and resources. The problem with LDAP searches against a large, well designed eDirectory tree is latency while the application searches every sub-container searching for a particular user.
I want to acknowledge my co-worker, Farley Russell, for giving me the idea for this article. We were faced with this same problem and came up with a really cool idea.
1. Using the OES Linux (eDirectory 8.8.1) server that hosts our Identity Manager Vault, create another eDirectory instance (tree).
2. Create an eDirectory driver on both “trees” and populate the new tree with just user and group accounts in a single container, thus creating a “flat” tree.
3. Set up account synchronization so when a new user is created/deleted/modified in our primary eDirectory tree, the changes are forwarded to the new tree through Identity Manager.
4. Use the new tree for all applications needing to utilize LDAP for authentication.
Since this is a multi-segmented project, I have broken it down into installments:
Refer to the README for eDirectory 8.8.1 for issues on upgrading:
Note: Multiple eDirectory trees on a single host are only available on Linux and Unix.
1. Log in to the server command line where you want to create a second tree.
2. Switch to root for this installation.
The eDirectory command-line tools are located in the /opt/novell/eDirectory/bin directory and are not in the path by default.
3. Type the following command to place them in the path for this session:
myoesserv:~ # . /opt/novell/eDirectory/bin/ndspath
Important: Make sure you type a dot+space before the “/”
Now you can type the other commands without typing the full path.
4. Create a directory where you want to store the files associate with your new tree.
myoesserv:~ # mkdir /nds-trees myoesserv:~ # ndsmanage Instances management utility for Novell eDirectory 8.8 SP 1 v2 The following are the instances configured by root  /etc/opt/novell/eDirectory/conf/nds.conf : .MYOESSERV.VAULT.IDM_TREE. : 192.168.1.4@524 : ACTIVE Enter [r] to refresh list,  for more options, [c] for creating a new instance or [q] to quit: c
5. Type “c” to create.
You have opted to create a new instance of eDirectory. Ensure that you have all the configuration planned before you proceed further. (Refer to the eDirectory Installation Guide for more information on the configuration.) If you choose to continue and if you are unsure of any of the configuration values, please abort and use the ndsconfig utility to create the new instance. Do you want to continue? (y or [n]): y
6. Type “y”.
Create a new tree ? (y or [n]): y
7. Type “y”.
Choose a tree name that can be unique in the network. TREE NAME: ldap_tree
8. Enter the name of your new tree.
Server name is the representation of this instance's server object in the eDirectory tree. [Ex: myoesserv-root-2] SERVER NAME: myoesserv
9. Enter the server name.
Server context is the Fully Distinguished Name (FDN) of the container under which the server object resides. [Ex: ou=servers.o=myorg] SERVER CONTEXT: o=myorg
10. Enter the context where you want the server object to be placed in the new tree.
You need the credentials of a user in the tree for configuring the server. (Refer to the eDirectory Administration Guide for the effective rights required for such a user). [Ex: cn=admin.ou=users.o=myorg] ADMIN USER: cn=admin.o=myorg
11. Enter the admin user FDN for the New tree. This ID will be created during the install.
NCP Port number to listen on: 1524
Enter the port for NCP (not 524; it’s being used by your first tree).
Tip: I know that I will never have more than 5 trees on a given server, so I place a a number before the traditional port number, i.e., 1524 for the second tree, 2524 for the third, etc.
Please specify the absolute location for this instance of eDirectory. The dib,log files and nds.conf go into this directory. [Ex: /home/root/instance2/] Instance location: /nds-trees/ldap_tree/
12. To specify the location of the eDirectory files for this new tree. enter the directory name we created earlier. I used a folder name for the tree so I can go back later and know which tree is stored in which directory.
Please specify the absolute location and filename of the configuration file. [Ex: /home/root/instance2/nds.conf] Configuration file: /nds-trees/ldap_tree/conf/nds.conf
13. Enter the path you just referenced only append where you want the configuration file. Make sure you include the name of the file.
Enter the password for cn=admin.o=myorg: Re-enter the password for cn=admin.o=myorg:
14. Give the admin a password.
Configuring the NDAP interfaces... Done Configuring the LDAP interfaces... INFO: Port "389" is already in use on "all" network interface(s) Please enter a valid LDAP TCP port: 1389
15. Choose a different port for LDAP non-SSL.
Configuring the LDAP interfaces... INFO: Port "636" is already in use on "all" network interface(s) Please enter a valid LDAP SSL port: 1636
16. Choose a different port for LDAP SSL.
Configuring the HTTP interfaces... INFO: Port "8028" is already in use on "192.168.1.4" network interface(s) Enter a port no. [Range: 1 - 65535]: 18028 INFO: Port "8030" is already in use on "192.168.1.4" network interface(s) Enter a port no. [Range: 1 - 65535]: 18030
ndsmanage will start ndsconfig and create and start your new instance of eDirectory. You can run ndsconfig by itself, but you need most of the info you entered for the command line. I prefer ndsmanage, because there is less of a chance of typos.
17. When it’s complete, type ndsmanage again and see the instances listed and their status:
Instances management utility for Novell eDirectory 8.8 SP 1 v2 The following are the instances configured by root  /etc/opt/novell/eDirectory/conf/nds.conf : .MYOESSERV.VAULT.IDM_TREE. : 192.168.1.4@524 : ACTIVE  /nds-trees/ldap_tree/conf/nds.conf : .MYOESSERV.MYORG.LDAP_TREE. : 192.168.1.4@1524 : ACTIVE Enter [r] to refresh list, [1 - 2] for more options, [c] for creating a new instance or [q] to quit: 2
18. From this point, choose either 1 or 2, and this presents a new menu:
Instance at /nds-trees/ldap_tree/conf/nds.conf : [l] List the replicas on the server [s] Start the instance [k] Stop the instance [t] Run ndstrace [d] Deconfigure [b] Back to previous menu [q] Quit What do you want to do with this instance? [ Choose from above]:
If you choose any of these options, remember that they only apply to that instance or tree. If you stop eDirectory, the other tree remains functional!
1. Open a browser and enter the url for iManager on that server, i.e., http://myoesserv.mydomain.com/nps/iManager
Figure 1 – Opening iManager
Important: In the Tree field, enter the name of the server or the IP and make sure you put a colon and the NCP port you specified for the new tree (such as “:1524”).
Figure 2 – Accessing the tree
You still need to configure you RBS Collection for this tree so the objects get created properly – remember that you’re working with more than one tree on this server. And if you’re from the NetWare kernel world, like me, it takes a little getting used to.
The Part 2 article will explain how to use this new tree with IDM and then LDAP.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.