VNX: How to configure LDAP multidomains with different OU for each ldap domain

There are situations where customers may want to choose different ldap domains or ldap sub domains for uid/gid/netgroup resolutions.
There is a domain structure like this :

Root Domain : root.domain.com                 
Multiple sub domains or different domains all together

Sub Domains:
prod.root.domain.com       LDAP server : 10.x.x.1
dev.root.domain.com         LDAP server : 10.x.x.2
sales.root.domain.com      LDAP server : 10.x.x.3

The configuration is done  at the Datamover level and the NS Domain is configured at the VDM level.

In the above case  the configuration is done in the following way 

Step 1 : Create the domain specific ldap<domain>.conf files at the root of the VDM 

In the above example we have three subdomains: prod ,dev ,sales

we create three ldap.<domain.conf>files

vi ldap.prod.conf
Add the following entries:
nss_base_passwd      dc=prod,dc=root,dc=domain,dc=com?sub
nss_base_group       dc=prod,dc=root,dc=domain,dc=com?sub
nss_base_hosts       dc=prod,dc=root,dc=domain,dc=com?sub
nss_base_netgroup    dc=prod,dc=root,dc=domain,dc=com?sub

Similarly create additional files for the other domains :
ldap.dev.conf and ldap.sales.conf

ldap.dev.conf:
nss_base_passwd      dc=dev,dc=root,dc=domain,dc=com?sub
nss_base_group       dc=dev,dc=root,dc=domain,dc=com?sub
nss_base_hosts       dc=dev,dc=root,dc=domain,dc=com?sub
nss_base_netgroup    dc=dev,dc=root,dc=domain,dc=com?sub

ldap.sales.conf
nss_base_passwd      dc=sales,dc=root,dc=domain,dc=com?sub
nss_base_group       dc=sales,dc=root,dc=domain,dc=com?sub
nss_base_hosts       dc=sales,dc=root,dc=domain,dc=com?sub
nss_base_netgroup    dc=sales,dc=root,dc=domain,dc=com?sub

Step 2 : Upload the ldap configuration files

$ server_file server_x -put ldap.prod.conf ldap.prod.conf
$ server_file server_x -put ldap.dev.conf ldap.dev.conf
$ server_file server_x -put ldap.sales.conf ldap.sales.conf

Step 3: Add the LDAP servers configuration :

$ server_ldap server_2 -add -p -basedn dc=prod,dc=root,dc=domain,dc=com -servers 10.x.x.1 -binddn cn=admin,dc=prod,dc=root,dc=domain,dc=com -file ldap.prod.conf
$ server_ldap server_2 -add -p -basedn dc=dc=dev,dc=root,dc=domain,dc=com -servers 10.x.x.2 -binddn cn=admin,dc=dc=dev,dc=root,dc=domain,dc=com -file ldap.dev.conf
$ server_ldap server_2 -add -p -basedn dc=sales,dc=root,dc=domain,dc=com -servers 10.x.x.3 -binddn cn=admin,dc=sales,dc=root,dc=domain,dc=com -file ldap.sales.conf

Step 4: Configure the nsdomains for each VDM 

Assuming each VDM is configured for the particcular VDM names prod,sales and dev

$ server_nsdomains vdm_prod -set -resolver LDAP='dc=prod,dc=root,dc=domain,dc=com'
$ server_nsdomains vdm_dev -set -resolver LDAP='dc=dev,dc=root,dc=domain,dc=com'
$ server_nsdomains vdm_sales -set -resolver LDAP='dc=sales,dc=root,dc=domain,dc=com'

Step 5: Verify the lookups
$ server_ldap vdm_prod -lookup -user <username>
$ server_ldap vdm_dev -lookup -user <username>
$ server_ldap vdm_sales -lookup -user <username>

$ server_ldap vdm_prod -lookup -group <groupname>
$ server_ldap vdm_dev -lookup -group <groupname>
$ server_ldap vdm_sales -lookup -group <groupname>

$ server_ldap vdm_prod -lookup -netgroup <netgroupname>
$ server_ldap vdm_dev -lookup -netgroup <netgroupname>
$ server_ldap vdm_sales -lookup -netgroup <netgroupname>

More information on the file name option in "man server_ldap"
for configurtation.

{-file <file_name>}
Allows to specify a LDAP configuration file per domain:

 * The various LDAP domains may have different schemas
   (OpenLDAP, IdMU, and so on) or different customizations
   (non-standard containers).
 * All LDAP domains can share the same /.etc/ldap.conf setup
   file or even no file if all the domains comply with the RFC2307.
 * The configuration files must be put in /.etc using server_file.
   In order to prevent collisions with other system files, it is
   required that the LDAP configuration is prefixed by "ldap"
   and suffixed by ".conf", i.e. "ldap<anything>.conf".
 * The default value of the -file option is "ldap.conf".
 * server_ldap -service -status lists all the configured domains,
   and their configuration source (default, file or profile). Several
   LDAP domains can be configured using the same LDAP
   configuration file.

configure ldap.conf with a meaningful name for each vdm on the root of the DM with appropriate entries and the search scope .
Bare minimum entries for a ldap.conf are :
nss_base_passwd      dc=ldap1,dc=local?sub
nss_base_group       dc=ldap1,dc=local?sub
nss_base_hosts       dc=ldap1,dc=local?sub
nss_base_netgroup    dc=ldap1,dc=local?sub

If using IDMU or SFU additional maping attributes may be required.

For IDMU following are required
# Objects
nss_map_objectclass  posixAccount    User
nss_map_objectclass  posixGroup      Group
nss_map_objectclass  ipHost          Computer

# Attributes
nss_map_attribute    userPassword    unixUserPassword
nss_map_attribute    homeDirectory   unixHomeDirectory

for SFU :

# Objects
nss_map_objectclass  posixAccount    User
nss_map_objectclass  posixGroup      Group
nss_map_objectclass  ipHost          Computer

# Attributes
nss_map_attribute    uid             msSFU30Name
nss_map_attribute    userPassword    msSFU30Password
nss_map_attribute    uidNumber       msSFU30UidNumber
nss_map_attribute    gidNumber       msSFU30GidNumber
nss_map_attribute    gecos           msSFU30Gecos
nss_map_attribute    homeDirectory   msSFU30HomeDirectory
nss_map_attribute    loginShell      msSFU30LoginShell
#
nss_map_attribute    memberUid       msSFU30MemberUid
nss_map_attribute    ipHostNumber    msSFU30IpHostNumber