Cockpit uses LDAPI to connect to DS, so if you change the directory manager(rootdn) DN from "cn=directory manager" to something else you also need to update the LDAPi configuration: Example: # dsconf slapd-localhost config replace nsslapd-ldapimaprootdn="cn=dirmgr" As for cockpit it should not crash, but if you change the root DN's DN, then you must update the LDAPI config.
Filxed upstream ticket: https://github.com/389ds/389-ds-base/issues/5453 The ticket will fix the crash in the UI, and set nsslapd-ldapimaprootdn automatically for you when using dsconf to change the root DN.
Fixed upstream moving to POST
Build tested: 389-ds-base-1.4.3.32-4.module+el8dsrv+17818+dcb7ba9a.x86_64 cockpit-389-ds-1.4.3.32-4.module+el8dsrv+17818+dcb7ba9a.noarch # dsconf -D cn=Directory\ Manager ldap://localhost config replace nsslapd-rootdn="cn=admin" Enter password for cn=Directory Manager on ldap://localhost: Successfully replaced "nsslapd-rootdn" Successfully replaced "nsslapd-ldapimaprootdn" LDAPI Map To Root DN is replaced when Root DN is changed via dsconf. WebUI is accessible and doesn't crash. But changing just nsslapd-ldapimaprootdn doesn't replace nsslapd-rootdn: dsconf -D cn=Directory\ Manager ldap://localhost config replace nsslapd-ldapimaprootdn="cn=admin" Enter password for cn=Directory Manager on ldap://localhost: Successfully replaced "nsslapd-ldapimaprootdn" And WebUI prints an error: Problem accessing required server configuration. Check LDAPI is properly configured for the current Root DN (nsslapd-rootdn & nsslapd-ldapimaprootdn). Questions: [1] Should dsconf automatically replace nsslapd-rootdn when nsslapd-ldapimaprootdn is changed? [2] Is there a valid use case when both can have different values? If no, do we need to keep these values separate at all? Can we make nsslapd-ldapimaprootdn an alias to nsslapd-rootdn?
(In reply to Viktor Ashirov from comment #10) > Questions: > [1] Should dsconf automatically replace nsslapd-rootdn when > nsslapd-ldapimaprootdn is changed? > [2] Is there a valid use case when both can have different values? If no, do > we need to keep these values separate at all? Can we make > nsslapd-ldapimaprootdn an alias to nsslapd-rootdn? I can not think of a valid use case where these values should be different. But I don't think we should change nsslapd-rootdn when nsslapd-ldapimaprootdn is changed. I could see a customer playing around with the ldapi settings and then messing up the rootdn by accident. I think I would prefer to obsolete nsslapd-ldapimaprootdn, and have ldapi code always use nsslapd-rootdn. But I think that should be done in a different bug. Thoughts?
(In reply to mreynolds from comment #11) > But I don't think we should change nsslapd-rootdn when > nsslapd-ldapimaprootdn is changed. I could see a customer playing around > with the ldapi settings and then messing up the rootdn by accident. I agree. > I think I would prefer to obsolete nsslapd-ldapimaprootdn, and have ldapi > code always use nsslapd-rootdn. But I think that should be done in a > different bug. Thoughts? Ok, I will open a separate bug for obsoleting nsslapd-ldapimaprootdn, and mark this one as VERIFIED.
Opened https://bugzilla.redhat.com/show_bug.cgi?id=2170494 for obsoleting nsslapd-ldapimaprootdn.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (redhat-ds:11 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3267