Bug 2127795

Cockpit uses LDAPI to connect to DS, so if you change the directory manager(rootdn) DN from "cn=directory manager" to something else you also need to update the LDAPi configuration:

Example: 

# dsconf slapd-localhost config replace nsslapd-ldapimaprootdn="cn=dirmgr"

As for cockpit it should not crash, but if you change the root DN's DN, then you must update the LDAPI config.

Filxed upstream ticket:

https://github.com/389ds/389-ds-base/issues/5453

The ticket will fix the crash in the UI, and set nsslapd-ldapimaprootdn automatically for you when using dsconf to change the root DN.

Fixed upstream moving to POST

Build tested:
389-ds-base-1.4.3.32-4.module+el8dsrv+17818+dcb7ba9a.x86_64
cockpit-389-ds-1.4.3.32-4.module+el8dsrv+17818+dcb7ba9a.noarch

# dsconf -D cn=Directory\ Manager ldap://localhost config replace nsslapd-rootdn="cn=admin"
Enter password for cn=Directory Manager on ldap://localhost:
Successfully replaced "nsslapd-rootdn"
Successfully replaced "nsslapd-ldapimaprootdn"

LDAPI Map To Root DN is replaced when Root DN is changed via dsconf. WebUI is accessible and doesn't crash.

But changing just nsslapd-ldapimaprootdn doesn't replace nsslapd-rootdn:
dsconf -D cn=Directory\ Manager ldap://localhost config replace nsslapd-ldapimaprootdn="cn=admin"
Enter password for cn=Directory Manager on ldap://localhost:
Successfully replaced "nsslapd-ldapimaprootdn"

And WebUI prints an error:
Problem accessing required server configuration. Check LDAPI is properly configured for the current Root DN (nsslapd-rootdn & nsslapd-ldapimaprootdn).


Questions:
[1] Should dsconf automatically replace nsslapd-rootdn when nsslapd-ldapimaprootdn is changed?
[2] Is there a valid use case when both can have different values? If no, do we need to keep these values separate at all? Can we make nsslapd-ldapimaprootdn an alias to nsslapd-rootdn?

(In reply to Viktor Ashirov from comment #10)
> Questions:
> [1] Should dsconf automatically replace nsslapd-rootdn when
> nsslapd-ldapimaprootdn is changed?
> [2] Is there a valid use case when both can have different values? If no, do
> we need to keep these values separate at all? Can we make
> nsslapd-ldapimaprootdn an alias to nsslapd-rootdn?

I can not think of a valid use case where these values should be different.  But I don't think we should change nsslapd-rootdn when nsslapd-ldapimaprootdn is changed.  I could see a customer playing around with the ldapi settings and then messing up the rootdn by accident.

I think I would prefer to obsolete nsslapd-ldapimaprootdn, and have ldapi code always use nsslapd-rootdn.  But I think that should be done in a different bug.  Thoughts?

(In reply to mreynolds from comment #11)
> But I don't think we should change nsslapd-rootdn when
> nsslapd-ldapimaprootdn is changed.  I could see a customer playing around
> with the ldapi settings and then messing up the rootdn by accident.

I agree.

> I think I would prefer to obsolete nsslapd-ldapimaprootdn, and have ldapi
> code always use nsslapd-rootdn.  But I think that should be done in a
> different bug.  Thoughts?

Ok, I will open a separate bug for obsoleting nsslapd-ldapimaprootdn, and mark this one as VERIFIED.

Opened https://bugzilla.redhat.com/show_bug.cgi?id=2170494 for obsoleting nsslapd-ldapimaprootdn.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:11 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:3267