Improved LDAP Search Tree for eDirectory 8.8 and IDM 3.5, Part 1

0 Likes
over 14 years ago

Part 1: Creating Multiple eDirectory Trees on a Single SLES Server with eDirectory 8.8.1



Introduction



Many applications use LDAP for authentication against a common Metadirectory. eDirectory is ideal for this purpose, providing a single point for user accounts with most third-party application authentication, thus lowering administrative costs and resources. The problem with LDAP searches against a large, well designed eDirectory tree is latency while the application searches every sub-container searching for a particular user.



I want to acknowledge my co-worker, Farley Russell, for giving me the idea for this article. We were faced with this same problem and came up with a really cool idea.



1. Using the OES Linux (eDirectory 8.8.1) server that hosts our Identity Manager Vault, create another eDirectory instance (tree).



2. Create an eDirectory driver on both "trees" and populate the new tree with just user and group accounts in a single container, thus creating a "flat" tree.



3. Set up account synchronization so when a new user is created/deleted/modified in our primary eDirectory tree, the changes are forwarded to the new tree through Identity Manager.



4. Use the new tree for all applications needing to utilize LDAP for authentication.



Since this is a multi-segmented project, I have broken it down into installments:



  • Part 1: Creating Multiple eDirectory Trees on a Single SLES Server with eDirectory 8.8.1

  • Part 2: Setting up eDirectory to eDirectory Drivers using Identity Manager 3.5


Prerequisites



  • OES (Linux) SP2

  • eDirectory 8.8.1

  • Identity Manager v3.5


Refer to the README for eDirectory 8.8.1 for issues on upgrading:

http://www.novell.com/documentation/edir88/readme/readme.txt



Note: Multiple eDirectory trees on a single host are only available on Linux and Unix.



Procedure



1. Log in to the server command line where you want to create a second tree.



2. Switch to root for this installation.



The eDirectory command-line tools are located in the /opt/novell/eDirectory/bin directory and are not in the path by default.



3. Type the following command to place them in the path for this session:



myoesserv:~ # . /opt/novell/eDirectory/bin/ndspath


Important: Make sure you type a dot space before the "/"



Now you can type the other commands without typing the full path.



4. Create a directory where you want to store the files associate with your new tree.



myoesserv:~ # mkdir /nds-trees

myoesserv:~ # ndsmanage

Instances management utility for Novell eDirectory 8.8 SP 1 v2

The following are the instances configured by root

[1] /etc/opt/novell/eDirectory/conf/nds.conf :
.MYOESSERV.VAULT.IDM_TREE. : 192.168.1.4@524 : ACTIVE

Enter [r] to refresh list, [1] for more options,
[c] for creating a new instance or [q] to quit: c


5. Type "c" to create.



	You have opted to create a new instance of eDirectory. Ensure 
that you have all the configuration planned before you
proceed further. (Refer to the eDirectory Installation
Guide for more information on the configuration.)

If you choose to continue and if you are unsure of any
of the configuration values, please abort and use the
ndsconfig utility to create the new instance.

Do you want to continue? (y or [n]): y


6. Type "y".



	Create a new tree ? (y or [n]): y


7. Type "y".



	Choose a tree name that can be unique in the network.

TREE NAME: ldap_tree


8. Enter the name of your new tree.



Server name is the representation of this instance's server
object in the eDirectory tree. [Ex: myoesserv-root-2]

SERVER NAME: myoesserv


9. Enter the server name.



	Server context is the Fully Distinguished Name (FDN) of the
container under which the server object resides.
[Ex: ou=servers.o=myorg]

SERVER CONTEXT: o=myorg


10. Enter the context where you want the server object to be placed in the new tree.



	You need the credentials of a user in the tree for
configuring the server. (Refer to the eDirectory
Administration Guide for the effective rights required
for such a user). [Ex: cn=admin.ou=users.o=myorg]

ADMIN USER: cn=admin.o=myorg


11. Enter the admin user FDN for the New tree. This ID will be created during the install.



	NCP Port number to listen on: 1524


Enter the port for NCP (not 524; it's being used by your first tree).



Tip: I know that I will never have more than 5 trees on a given server, so I place a a number before the traditional port number, i.e., 1524 for the second tree, 2524 for the third, etc.



	Please specify the absolute location for this instance of
eDirectory. The dib,log files and nds.conf go into
this directory. [Ex: /home/root/instance2/]

Instance location: /nds-trees/ldap_tree/


12. To specify the location of the eDirectory files for this new tree. enter the directory name we created earlier. I used a folder name for the tree so I can go back later and know which tree is stored in which directory.



	Please specify the absolute location and filename of the
configuration file. [Ex: /home/root/instance2/nds.conf]

Configuration file: /nds-trees/ldap_tree/conf/nds.conf


13. Enter the path you just referenced only append where you want the configuration file. Make sure you include the name of the file.



	Enter the password for cn=admin.o=myorg:
Re-enter the password for cn=admin.o=myorg:


14. Give the admin a password.



	Configuring the NDAP interfaces... Done
Configuring the LDAP interfaces...
INFO: Port "389" is already in use on "all" network interface(s)
Please enter a valid LDAP TCP port: 1389


15. Choose a different port for LDAP non-SSL.



	Configuring the LDAP interfaces...
INFO: Port "636" is already in use on "all" network
interface(s)
Please enter a valid LDAP SSL port: 1636


16. Choose a different port for LDAP SSL.



	Configuring the HTTP interfaces...
INFO: Port "8028" is already in use on "192.168.1.4" network
interface(s)
Enter a port no. [Range: 1 - 65535]: 18028

INFO: Port "8030" is already in use on "192.168.1.4" network
interface(s)
Enter a port no. [Range: 1 - 65535]: 18030


ndsmanage will start ndsconfig and create and start your new instance of eDirectory. You can run ndsconfig by itself, but you need most of the info you entered for the command line. I prefer ndsmanage, because there is less of a chance of typos.



17. When it's complete, type ndsmanage again and see the instances listed and their status:



	Instances management utility for Novell eDirectory 8.8 SP 1 v2

The following are the instances configured by root

[1] /etc/opt/novell/eDirectory/conf/nds.conf :
.MYOESSERV.VAULT.IDM_TREE. : 192.168.1.4@524 : ACTIVE

[2] /nds-trees/ldap_tree/conf/nds.conf :
.MYOESSERV.MYORG.LDAP_TREE. : 192.168.1.4@1524 : ACTIVE

Enter [r] to refresh list, [1 - 2] for more options,
[c] for creating a new instance or [q] to quit: 2


18. From this point, choose either 1 or 2, and this presents a new menu:



	Instance at  /nds-trees/ldap_tree/conf/nds.conf :

[l] List the replicas on the server
[s] Start the instance
[k] Stop the instance
[t] Run ndstrace
[d] Deconfigure
[b] Back to previous menu
[q] Quit

What do you want to do with this instance? [ Choose from above]:


If you choose any of these options, remember that they only apply to that instance or tree. If you stop eDirectory, the other tree remains functional!



Checking iManager.



1. Open a browser and enter the url for iManager on that server, i.e., http://myoesserv.mydomain.com/nps/iManager





Figure 1 - Opening iManager



Important: In the Tree field, enter the name of the server or the IP and make sure you put a colon and the NCP port you specified for the new tree (such as ":1524").





Figure 2 - Accessing the tree



You still need to configure you RBS Collection for this tree so the objects get created properly - remember that you're working with more than one tree on this server. And if you're from the NetWare kernel world, like me, it takes a little getting used to.






The Part 2 article will explain how to use this new tree with IDM and then LDAP.

Tags:

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended