On 08/01/2011 08:34 AM, Techie wrote: > 2011/7/29 夜神 岩男<supergiantpotato@xxxxxxxxxxx>: >> On 07/30/2011 05:17 AM, Techie wrote: >>> 2011/7/29 夜神 岩男<supergiantpotato@xxxxxxxxxxx>: >>>> On 07/29/2011 04:34 PM, Techie wrote: >>>>> Hello, >>>>> >>>>> We were required to change the hostname of our LDAP server running >>>>> 389-DS. Since that time the LDAP server runs fine but the admin server >>>>> does not authenticate login any longer, meaning i cannot log into the >>>>> admin server. What do I need to do to fix the admin server and change >>>>> all references from the old host name to the new host name. >>>> Just for clarity, what does "admin server" mean: >>> The admin-server is the Java front end/interface that allows you to >>> admin the server via http. >>> So you connect like.. >>> http://myserver:9080 >>> Then you can admin the LDAP instance via GUI. >>> LDAP works fine.. It is the Java admin-server that is broken. It is >>> broken because hte references under the config files under >>> /etc/dirsrv/admin-serv are pointing to the incorrect host name. I am >>> not sure if me simply changing all references to the new hostname will >>> fix it. >> Fixing the hostname references is part of it, and if you are using >> certificates specific to the admin-server to authenticate then they need >> to be updated/replaced as well to avoid things like instance/realm or >> nss hostname check problems. >> >> The config files should contain lots of references to the old hostname >> (unless a magical script fixed them when you weren't looking), and those >> must be changed. Don't forget to look places like nss.conf, and weirder >> areas like filnames of auth keys (and make sure to check silly spots >> like hosts.conf to make sure NetworkManager or whatever didn't append >> the new hostname in there somewhere (like an unused IPv6 line), or mix >> and match old and new hostnames, as this can break random authentication >> things related to Kerberos and NSS). Some files have hostname info >> tagged at the end of them, and things that point to them must be lined up. >> >> I would start by walking myself back through manual setup steps as if I >> were setting up admin-server on a new system to make sure I didn't miss >> anything and then recreating my authentication keys if necessary. >> >> Fixing a partially broken authentication setup *sucks*. In situations >> like that if the machine isn't the sole server (a slave is out there >> somewhere), I'll just re-install the server packages to make sure >> nothing is missed and then replicate back from the slave or a backup >> because re-setting nitpicky manual setups without doing them 100% from >> the beginning can be a real pain. >> >> -Iwao >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > Is there any way I can fix the name of the Directory server and > Admin-Server by using setup-ds-admin.pl? I'd rather not blow things > away and import the data. You can't do it with setup-ds-admin.pl You'll have to first do a search of the directory server for the old hostname I suggest using mozldap ldapsearch because of the -T option to disable LDIF line wrapping. /usr/lib64/mozldap/ldapsearch -T -b o=netscaperoot "objectclass=*" \* aci | grep oldhostname and /usr/lib64/mozldap/ldapsearch -T -b cn=config "objectclass=*" \* aci | grep oldhostname If you have to use openldap ldapsearch, see http://richmegginson.livejournal.com/18726.html You'll have to use ldapmodify to change attribute values to use the new hostname. You'll also have to change /etc/dirsrv/admin-serv/adm.conf to use the new hostname. Finally, see http://port389.org/wiki/DS_Admin_Migration#Note_about_hostnames > Thanks > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
