1.6. Changing Directory Server Port Numbers

The standard and secure LDAP port numbers used by Directory Server can be changed through the Directory Server Console or by changing the value of the nsslapd-port or nsslapd-secureport attribute under the cn=config entry in the dse.ldif.

Note

Modifying the standard or secure port numbers for a Configuration Directory Server, which maintains the o=NetscapeRoot subtree, should be done through the Directory Server Console.

1.6.1. Changing Standard Port Numbers

  1. In the Directory Server Console, select the Configuration tab, and then select the top entry in the navigation tree in the left pane.
  2. Select the Settings tab in the right pane.
  3. Change the port numbers. The port number for the server to use for non-SSL communications in the Port field, with a default value of 389.
  4. Click Save.
  5. The Console returns a warning, You are about to change the port number for the Configuration Directory. This will affect all Administration Servers that use this directory and you'll need to update them with the new port number. Are you sure you want to change the port number? Click Yes.
  6. Then a dialog appears, reading that the changes will not take effect until the server is restarted. Click OK.

    Note

    Do not restart the Directory Server at this point. If you do, you will not be able to make the necessary changes to the Admin Server through the Console.
  7. Open the Admin Server Console.
  8. In the Configuration tab, select the Configuration DS tab.
  9. In the LDAP Port field, type in the new LDAP port number for your Directory Server instance.
  10. Change the SELinux labels for the Directory Server ports so that the new port number is used in the Directory Server policies. By default, only port 389 is labeled. The process for labeling ports is covered in Section 1.10.6, “Labeling SSL/TLS Ports”. For example:
    /usr/sbin/semanage port -a -t ldap_port_t -p tcp 1389

    Warning

    If the SELinux label is not reset, then the Directory Server will not be able to be restarted.
  11. In the Tasks tab of the Directory Server Console, click Restart Directory Server. A dialog to confirm that you want to restart the server. Click Yes.
  12. Open the Configuration DS tab of the Admin Server Console and select Save.
    A dialog will appear, reading The Directory Server setting has been modified. You must shutdown and restart your Admin Server and all the servers in the Server Group for the changes to take effect. Click OK.
  13. In the Tasks tab of the Admin Server Console, click Restart Admin Server. A dialog opens reading that the Admin Server has been successfully restarted. Click Close.

    Note

    You must close and reopen the Console before you can do anything else in the Console. Refresh may not update the Console, and, if you try to do anything, you will get a warning that reads Unable to contact LDAP server.

1.6.2. Changing SSL Port Numbers

Changing the configuration directory or user directory port or secure port numbers has the following repercussions:
  • The Directory Server port number must also be updated in the Admin Server configuration.
  • If there are other Directory Server instances that point to the configuration or user directory, update those servers to point to the new port number.
To modify the LDAPS port:
  1. Make sure that the CA certificate used to issue the Directory Server instance's certificate is in the Admin Server certificate database. Importing CA certificates for the Admin Server is the same as the Directory Server process described in Section 7.3.2, “Trusting the Certificate Authority”.
  2. The secure port can be configured using the Directory Server Console, much like the process in Section 1.6.1, “Changing Standard Port Numbers” (only setting the value in the Encrypted Port field). However, in some circumstances, such as if there are multiple Directory Server instances on the same machine, where changing port numbers may not be possible through the Directory Server Console. It may be be better to use ldapmodify to change the port number.
    For example:
    [root@server ~]# ldapmodify -x -h server.example.com -p 1389 -D "cn=directory manager" -W
    dn: cn=config
    replace: nsslapd-securePort
    nsslapd-securePort: 1636
  3. Edit the corresponding port configuration for the Directory Server instance in th Admin Server configuration (o=netscaperoot).
    First, search for the current configuration:
    [root@server ~]# ldapsearch -x -h config-ds.example.com -p 389 -D "cn=directory manager" -W -b "cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot" -s base "(objectclass=*)"
    nsSecureServerPort
    
    dn: cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot
    nsSecureServerPort: 636
    Then, edit the configuration:
    [root@server ~]# ldapmodify -x -h config-ds.example.com -p 389 -D "cn=directory manager" -WW
    
    dn: cn=slapd-ID,cn=389 Directory Server,cn=Server Group,cn=server.example.com,ou=example.com,o=NetscapeRoot
    replace: nsSecureServerPort
    nsSecureServerPort: 1636
  4. Start the Directory Server Console for the instance and confirm that the new SSL port number is listed in the Configuration tab.
  5. Optionally, select the Use SSL in Console check box.
  6. Change the SELinux labels for the Directory Server ports so that the new port number is used in the Directory Server policies. By default, only port 389 is labeled. The process for labeling ports is covered in Section 1.10.6, “Labeling SSL/TLS Ports”. For example:
    /usr/sbin/semanage port -a -t ldap_port_t -p tcp 1636

    Warning

    If the SELinux label is not reset, then the Directory Server will not be able to be restarted.
  7. Restart the Directory Server instance.