[389-users] Change name of server, admin-server no longer works
Rich Megginson
rmeggins at redhat.com
Mon Aug 1 15:32:10 UTC 2011
On 08/01/2011 08:34 AM, Techie wrote:
> 2011/7/29 夜神 岩男<supergiantpotato at yahoo.co.jp>:
>> On 07/30/2011 05:17 AM, Techie wrote:
>>> 2011/7/29 夜神 岩男<supergiantpotato at yahoo.co.jp>:
>>>> On 07/29/2011 04:34 PM, Techie wrote:
>>>>> Hello,
>>>>>
>>>>> We were required to change the hostname of our LDAP server running
>>>>> 389-DS. Since that time the LDAP server runs fine but the admin server
>>>>> does not authenticate login any longer, meaning i cannot log into the
>>>>> admin server. What do I need to do to fix the admin server and change
>>>>> all references from the old host name to the new host name.
>>>> Just for clarity, what does "admin server" mean:
>>> The admin-server is the Java front end/interface that allows you to
>>> admin the server via http.
>>> So you connect like..
>>> http://myserver:9080
>>> Then you can admin the LDAP instance via GUI.
>>> LDAP works fine.. It is the Java admin-server that is broken. It is
>>> broken because hte references under the config files under
>>> /etc/dirsrv/admin-serv are pointing to the incorrect host name. I am
>>> not sure if me simply changing all references to the new hostname will
>>> fix it.
>> Fixing the hostname references is part of it, and if you are using
>> certificates specific to the admin-server to authenticate then they need
>> to be updated/replaced as well to avoid things like instance/realm or
>> nss hostname check problems.
>>
>> The config files should contain lots of references to the old hostname
>> (unless a magical script fixed them when you weren't looking), and those
>> must be changed. Don't forget to look places like nss.conf, and weirder
>> areas like filnames of auth keys (and make sure to check silly spots
>> like hosts.conf to make sure NetworkManager or whatever didn't append
>> the new hostname in there somewhere (like an unused IPv6 line), or mix
>> and match old and new hostnames, as this can break random authentication
>> things related to Kerberos and NSS). Some files have hostname info
>> tagged at the end of them, and things that point to them must be lined up.
>>
>> I would start by walking myself back through manual setup steps as if I
>> were setting up admin-server on a new system to make sure I didn't miss
>> anything and then recreating my authentication keys if necessary.
>>
>> Fixing a partially broken authentication setup *sucks*. In situations
>> like that if the machine isn't the sole server (a slave is out there
>> somewhere), I'll just re-install the server packages to make sure
>> nothing is missed and then replicate back from the slave or a backup
>> because re-setting nitpicky manual setups without doing them 100% from
>> the beginning can be a real pain.
>>
>> -Iwao
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> Is there any way I can fix the name of the Directory server and
> Admin-Server by using setup-ds-admin.pl? I'd rather not blow things
> away and import the data.
You can't do it with setup-ds-admin.pl
You'll have to first do a search of the directory server for the old
hostname
I suggest using mozldap ldapsearch because of the -T option to disable
LDIF line wrapping.
/usr/lib64/mozldap/ldapsearch -T -b o=netscaperoot "objectclass=*" \*
aci | grep oldhostname
and
/usr/lib64/mozldap/ldapsearch -T -b cn=config "objectclass=*" \* aci |
grep oldhostname
If you have to use openldap ldapsearch, see
http://richmegginson.livejournal.com/18726.html
You'll have to use ldapmodify to change attribute values to use the new
hostname.
You'll also have to change /etc/dirsrv/admin-serv/adm.conf to use the
new hostname.
Finally, see http://port389.org/wiki/DS_Admin_Migration#Note_about_hostnames
> Thanks
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list