Thanks Rich, that is what I was looking for. Jimmy On Mon, Aug 1, 2011 at 8:32 AM, Rich Megginson <rmeggins@xxxxxxxxxx> wrote: > On 08/01/2011 08:34 AM, Techie wrote: >> >> 2011/7/29 夜神 岩男<supergiantpotato@xxxxxxxxxxx>: >>> >>> On 07/30/2011 05:17 AM, Techie wrote: >>>> >>>> 2011/7/29 夜神 岩男<supergiantpotato@xxxxxxxxxxx>: >>>>> >>>>> On 07/29/2011 04:34 PM, Techie wrote: >>>>>> >>>>>> Hello, >>>>>> >>>>>> We were required to change the hostname of our LDAP server running >>>>>> 389-DS. Since that time the LDAP server runs fine but the admin server >>>>>> does not authenticate login any longer, meaning i cannot log into the >>>>>> admin server. What do I need to do to fix the admin server and change >>>>>> all references from the old host name to the new host name. >>>>> >>>>> Just for clarity, what does "admin server" mean: >>>> >>>> The admin-server is the Java front end/interface that allows you to >>>> admin the server via http. >>>> So you connect like.. >>>> http://myserver:9080 >>>> Then you can admin the LDAP instance via GUI. >>>> LDAP works fine.. It is the Java admin-server that is broken. It is >>>> broken because hte references under the config files under >>>> /etc/dirsrv/admin-serv are pointing to the incorrect host name. I am >>>> not sure if me simply changing all references to the new hostname will >>>> fix it. >>> >>> Fixing the hostname references is part of it, and if you are using >>> certificates specific to the admin-server to authenticate then they need >>> to be updated/replaced as well to avoid things like instance/realm or >>> nss hostname check problems. >>> >>> The config files should contain lots of references to the old hostname >>> (unless a magical script fixed them when you weren't looking), and those >>> must be changed. Don't forget to look places like nss.conf, and weirder >>> areas like filnames of auth keys (and make sure to check silly spots >>> like hosts.conf to make sure NetworkManager or whatever didn't append >>> the new hostname in there somewhere (like an unused IPv6 line), or mix >>> and match old and new hostnames, as this can break random authentication >>> things related to Kerberos and NSS). Some files have hostname info >>> tagged at the end of them, and things that point to them must be lined >>> up. >>> >>> I would start by walking myself back through manual setup steps as if I >>> were setting up admin-server on a new system to make sure I didn't miss >>> anything and then recreating my authentication keys if necessary. >>> >>> Fixing a partially broken authentication setup *sucks*. In situations >>> like that if the machine isn't the sole server (a slave is out there >>> somewhere), I'll just re-install the server packages to make sure >>> nothing is missed and then replicate back from the slave or a backup >>> because re-setting nitpicky manual setups without doing them 100% from >>> the beginning can be a real pain. >>> >>> -Iwao >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> Is there any way I can fix the name of the Directory server and >> Admin-Server by using setup-ds-admin.pl? I'd rather not blow things >> away and import the data. > > You can't do it with setup-ds-admin.pl > > You'll have to first do a search of the directory server for the old > hostname > > I suggest using mozldap ldapsearch because of the -T option to disable LDIF > line wrapping. > /usr/lib64/mozldap/ldapsearch -T -b o=netscaperoot "objectclass=*" \* aci | > grep oldhostname > and > /usr/lib64/mozldap/ldapsearch -T -b cn=config "objectclass=*" \* aci | grep > oldhostname > > If you have to use openldap ldapsearch, see > http://richmegginson.livejournal.com/18726.html > > You'll have to use ldapmodify to change attribute values to use the new > hostname. > > You'll also have to change /etc/dirsrv/admin-serv/adm.conf to use the new > hostname. > > Finally, see http://port389.org/wiki/DS_Admin_Migration#Note_about_hostnames >> >> Thanks >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
