Novell is now a part of Micro Focus

IDM 3.5 Synchronization to the Production Tree and Testing LDAP Searches

Novell Cool Solutions: AppNote
By Michael Faris

Digg This - Slashdot This

Posted: 2 May 2007


In Part 1 (Improved LDAP Search Tree for eDirectory 8.8 and IDM 3.5, Part 1), we built an additional eDirectory tree (LDAP_TREE) on the IDM Server. In Part 2 (Setting up eDirectory to eDirectory Drivers using Identity Manager 3.5), we synchronized the IDM_TREE to it for LDAP authentication using the eDirectory drivers.

In Part 3, we'll do the following things:

  • Create an eDirectory driver on the IDM_TREE and on the existing production tree (PROD_TREE).
  • Synchronize the eDirectory drivers and define the flow of data.
  • Test LDAP searches against the LDAP_TREE compared with the PROD_TREE and note the difference in response times, using an example Web-based PHP application. You'll be given the code for this as well.

Connecting the IDM_TREE to the PROD_TREE

In this section we will add a new eDirectory driver in order to for the IDM_TREE to connect to the PROD_TREE.

1. Log in to IDM_TREE using iManager.

Figure 1 - Identity Manager login

2. Expand the Identity Manager link and click on Identity Overview, search for the driver set.

3. Click the Add Driver button.

Figure 2 - New Driver wizard

4. Select the existing driver set and click Next.

Figure 3 - Selecting the existing driver set

5. From the drop-down list, select eDirectory driver.

6. Click Next.

7. Enter the parameter information, adjusting for your own needs.

Here's what I entered:

Driver name: eDir2eDir4Prod
Remote Host:
Remote Port: 9186
Data Flow: Subordinate - This means that that IDM_TREE will be "subordinate" to the PROD_TREE
Configuration Option:  Flat - I want all users and groups in a specific container.
Base Container: Users.vault - This is where the users currently reside in IDM_TREE
Password version: 2.0

8. Click Next.

9. Select the container where group objects reside (Groups.vault).

10. Click Next.

11. Select which objects are used for security equivalence for the driver (admin.vault).

12. Select which objects are to be "excluded" from the synchronization (admin.vault).

13. Click Finish.

Figure 4 - Finishing the driver set

Installing Identity Manager 3.5 on NetWare 6.5 w/ SP6

Because Identity Manager was already installed on the MYOESSERV (IDM) server and therefore installed for both of the trees in part 1 and 2, we didn't need to install it for the LDAP_TREE. However, all of the servers in the PROD_TREE are NetWare 6.x, and IDM is not installed; so we will have to install Identity Manager 3.5 in the PROD_TREE before we can proceed.

To determine which server you want to install Identity Manager 3.5 on, first read the prerequisites outlined in the documentation:

1. Once you have identified the server, mount the IDM 3.5 CD on the server.

2. Connect to the console and run "startx".

Figure 5 - Running "startx"

3. Click Novell and select Install.

4. When the list of installed products window appears, click Add.

5. Browse to the location of the install files for IDM 3.5.

Figure 6 - Finding the install files

6. Click OK.

The Identity Manager 3.5 Welcome screen will appear shortly.

Figure 7 - Welcome screen

7. Click Next.

8. Check "Agree" on the license agreement and scroll through the requirements screens.

Figure 8 - Requirements screens

9. Un-check Utilities. In this scenario, we only want the Tomcat plugins and the eDirectory related items.

10. Click Next.

11. Because we only want an eDirectory Driver, un-check all but eDirectory. If you plan on using other drivers in the future, check them also. It's not a big deal to have others, especially if you have licensed them already.

Figure 9 - Driver selection

12. Click Next.

13. Authenticate to the PROD_TREE using an administrative account (admin).

14. Click Next and verify the summary screen.

15. Once the install is complete, reset the server to start the Metadirectory engine.

16. Open a browser and log in to the PROD_TREE using iManager.

17. Use RBS Configuration to install your Identity Manager plugins.

18. Restart Tomcat.

Configuring Identity Manager 3.5 in a NetWare Environment

There's no difference, really, between this configuration and our previous one - we just need to create a new driver set.

1. Log in to the PROD_TREE using iManager.

2. Expand Identity Manager and select Identity Overview.

3. Start the Create New Driver wizard.

Figure 10 - Create New Driver wizard

4. Select the new driver set and click Next.

Figure 11 - Driver set selection

5. Give the driver set a name, a context where you want to place it, and a server where it will run.

6. Make sure "Create new partition" is checked, then click Next.

7. Continue as before to create the new driver set, then click Finish.

8. To add an eDirectory driver to the set, as in the IDM_TREE, you only need to change the following parameters:

Driver name: eDir2Vault
Remote Host:
Remote Port: 6819 - Reverse of IDM_PROD driver port.
Data Flow: Authoritative - This means that that PROD_TREE will be "Authoritative" to the IDM_TREE
Configuration Option:  Flat - I want all users and groups in a specific container.
Password version: 2.0
Choose your containers for users and groups accordingly.

9. Choose your Security Equivalence and Exclusions at this time. Remember to include any "system" type accounts you don't want replicated.

Figure 12 - Security Equivalence and Exclusions

10. Create the NDS-2-NDS Certificates as described in Part 2 for both the IDM_TREE and the PROD_TREE.

11. Create Password Policies in the PROD_TREE and enable Universal Password, if you have not previously done so. As mentioned previously, be sure to read Password Management Administration Guide - - before you enable UP.

12. Start the driver in both trees.

13. In the PROD_TREE, click the eDirectory driver and select Synchronize > Examine All.

This will start the users and groups from PROD_TREE to synchronize in the IDM_TREE and then in the LDAP_TREE. This is very quick, depending on how many users you have.

14. Create a test user ("atestusr"), give it an e-mail address, and set the password.

You can run a dstrace screen from any point in the replication process to see the progress.

Testing - All Together

1. Log in to the LDAP_TREE using iManager and browse the tree.

2. Find "atestusr" and select Modify User.

Figure 13 - Modifying "atestusr"

There it is, with all the data we put in it!

3. As before, attempt to login to the LDAP_TREE with iManager using this account. If you get a -669 error, the password did not sync, so you need to check your policies.

Testing LDAP Searches

I like using a web-type test for LDAP because it looks more impressive when you show it off!

1. Go to http:/localhost/ldapsearch

Figure 14 - Test IDM LDAP Tree screen

2. Click the link above and get the results.

3. If you want to test latency between trees, edit the source (provided below), change the LDAP server, and then run it again.

Figure 15 - LDAP Query test

You can manipulate the source to pull any attribute you wish.

Source for the Web Test

<html><body><a href="search.php">Test IDM LDAP Tree</a></body></html>"


<?php session_start();

echo "<h3>LDAP Query test</h3>";
echo "Connecting...";

include ('functions.php');





function LDAPConn_Bind($srv, $port, $LDAPUser, $LDAPPass)
  global $LDAPConn, $LDAPUser, $LDAPPass;

  $conn=ldap_connect($srv, $port);
  if (!$conn)
    die("Failed LDAP_Connect.<br />");
  echo "Connection Successful!";

  ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
  $r=@ldap_bind($conn, $LDAPUser, $LDAPPass);
  if (!$r)
    echo "LDAP Error: ", ldap_error($conn), "<br />\n";
    return false;
  $LDAPConn = $conn;
  return $conn;

function LDAPGetUser($conn)
  if (empty($conn)) return 2;
  $attrnames = array("cn", "surname", "mail");
  $results=ldap_search($conn, ' ', "(objectclass=user)", $attrnames);
  if ((!$results) or (empty($results))) return 3;

  $data = ldap_get_entries($conn, $results);
  for ($i=0; $i<$data["count"]; $i++) {
    echo "<p>";
    foreach($attrnames as $attrname) {
      if(isset($data[$i][$attrname])) {
        if(is_array($data[$i][$attrname])) {
          for ($j=0; $j<$data[$i][$attrname]["count"]; $j++) {
            echo $attrname." entry is: <b>". $data[$i][$attrname][$j] ."</b><br>";
        } else {
          echo $attrname." entry is:<b>". $data[$i][$attrname] ."</b><br>";
    echo "</p>";
  echo "Closing Connection<br />";


The beauty of Identity Manager the way Novell has created it, is that you can connect one system and then add additional systems to build a really efficient practical flow of data - without having a do-or-die approach to your organization's needs.

Here, we've started with one eDirectory tree and then added another. Later we could add Active Directory or Lotus Notes - whatever approach and pace we feel comfortable with. That's what I really like about this product .... And it's fun, too ...

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates