is it possible to put a BM3.8 in a DMZ zone (behind Netscreen) in it's
own NDS tree (DMZ_TREE) and for Client VPN, let it get the users
credentials from the live tree from servers on the LAN, probably by
LDAP lookup to LAN_TREE?

So VPN clients would connect trough the Netscreen firewall to the BM3.8
in DMZ, which gets authentication info via LDAP for this VPN user from
a live LDAP server in the LAN, and then give the VPN client
limited/controlled access to certain machines in the LAN

This might look complicated, but the idea is not to have a replica of
the live tree in the DMZ.