On 08/01/2011 08:34 AM, Techie wrote:
2011/7/29 夜神 岩男<supergiantpotato(a)yahoo.co.jp>:
> On 07/30/2011 05:17 AM, Techie wrote:
>> 2011/7/29 夜神 岩男<supergiantpotato(a)yahoo.co.jp>:
>>> On 07/29/2011 04:34 PM, Techie wrote:
>>>> Hello,
>>>>
>>>> We were required to change the hostname of our LDAP server running
>>>> 389-DS. Since that time the LDAP server runs fine but the admin server
>>>> does not authenticate login any longer, meaning i cannot log into the
>>>> admin server. What do I need to do to fix the admin server and change
>>>> all references from the old host name to the new host name.
>>> Just for clarity, what does "admin server" mean:
>> The admin-server is the Java front end/interface that allows you to
>> admin the server via http.
>> So you connect like..
>>
http://myserver:9080
>> Then you can admin the LDAP instance via GUI.
>> LDAP works fine.. It is the Java admin-server that is broken. It is
>> broken because hte references under the config files under
>> /etc/dirsrv/admin-serv are pointing to the incorrect host name. I am
>> not sure if me simply changing all references to the new hostname will
>> fix it.
> Fixing the hostname references is part of it, and if you are using
> certificates specific to the admin-server to authenticate then they need
> to be updated/replaced as well to avoid things like instance/realm or
> nss hostname check problems.
>
> The config files should contain lots of references to the old hostname
> (unless a magical script fixed them when you weren't looking), and those
> must be changed. Don't forget to look places like nss.conf, and weirder
> areas like filnames of auth keys (and make sure to check silly spots
> like hosts.conf to make sure NetworkManager or whatever didn't append
> the new hostname in there somewhere (like an unused IPv6 line), or mix
> and match old and new hostnames, as this can break random authentication
> things related to Kerberos and NSS). Some files have hostname info
> tagged at the end of them, and things that point to them must be lined up.
>
> I would start by walking myself back through manual setup steps as if I
> were setting up admin-server on a new system to make sure I didn't miss
> anything and then recreating my authentication keys if necessary.
>
> Fixing a partially broken authentication setup *sucks*. In situations
> like that if the machine isn't the sole server (a slave is out there
> somewhere), I'll just re-install the server packages to make sure
> nothing is missed and then replicate back from the slave or a backup
> because re-setting nitpicky manual setups without doing them 100% from
> the beginning can be a real pain.
>
> -Iwao
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
Is there any way I can fix the name of the Directory server and
Admin-Server by using setup-ds-admin.pl? I'd rather not blow things
away and import the data.
You can't do it with setup-ds-admin.pl
You'll have to first do a search of the directory server for the old
hostname
I suggest using mozldap ldapsearch because of the -T option to disable
LDIF line wrapping.
/usr/lib64/mozldap/ldapsearch -T -b o=netscaperoot "objectclass=*" \*
aci | grep oldhostname
and
/usr/lib64/mozldap/ldapsearch -T -b cn=config "objectclass=*" \* aci |
grep oldhostname
If you have to use openldap ldapsearch, see
http://richmegginson.livejournal.com/18726.html
You'll have to use ldapmodify to change attribute values to use the new
hostname.
You'll also have to change /etc/dirsrv/admin-serv/adm.conf to use the
new hostname.
Finally, see
http://port389.org/wiki/DS_Admin_Migration#Note_about_hostnames
Thanks
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users