1.4.1 - Changing the server port for LDAP

This section describes how to change to port for the LDAP protocol. There are two ways to do that : either you use the configuration plugin available in Apache Directory Studio, or you update the LDIF partition that contains the configuration.

The task and how to accomplish it

By default the LDAP server listens on port 10389 (unencrypted or StartTLS) and 10636 (SSL). It is quite common to run LDAP on 389, which is the well-known port for this protocol, but that requires the server to be started with a root user (or with sudo). Of course other options are imaginable as well. Changing the LDAP port is a good example for adjusting the existing Spring configuration as introduced in the last section.

Due to traditional Unix security restrictions, ports less than 1024 were "trusted". Thus on a Unix-System, a non-root process must listen on a port greater than 1023.

Basically, there are two cases :

  • The server is not started
  • The server is started

We will see how to change the port in those two cases.

Using Apache Directory Studio

The server is started

The best solution is to connect on the server using Studio, and to open it’s configuration :

![Studio port configuration](images/studio-port-config1.png)

When you select this menu, you will get the main configuration screen, containing the port for LDAP and LDAPS :

![Studio port configuration](images/studio-port-config2.png)

Now, change the values of port to your needs, then save the configuration. You have to restart the server afterwards in order to take this change into effect.

The server is not started

You can start it and update the configuration, of course. But if you want to configure the server when it’s stopped, you will have to load the configuration file, which is on …/instances/default/conf/config.ldif, when the server has been installed using the default setting.

Opening this file will open the exact same window :

![Studio port configuration](images/studio-port-config2.png)

You can update the ports and save the file.

Note that you will requite write access on this file !

Modifying the configuration LDIF partition

All the ApacheDS configuration is stored as a LDIF file, and can be modified either using a text editor (although we don’t consider this as a safe practice) or using a Modify request on a running server.

Modifying the configuration on a running server will **not** change the listening port of the running server. You will have to relaunch the server in order to get this new configuration to be available.

The configuration is stored as a set of LDAP entries, so you can update one of them. In order to modify the entry containing the ports, you have first to find it, and second to send a valid modify request.

All the ApacheDS configuration is stored under the ou=config partition. The ports are stored in some entries under DN: ldap,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config (obviously, dependning on your installation, this DN might change : the ads-directoryServiceId may have a different name, so is the ads-serverId). In any case, the ou=transports branch contains two entries :

for LDAP :

dn: ads-transportid=ldap,ou=transports,ads-serverId=ldapServer,ou=servers,ad
ads-systemport: 10389
ads-enabled: TRUE
ads-transportnbthreads: 8
ads-transportid: ldap
objectclass: ads-transport
objectclass: ads-tcpTransport
objectclass: ads-base
objectclass: top

and for LDAPS :

dn: ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,a
ads-systemport: 10636
ads-transportenablessl: TRUE
ads-enabled: TRUE
ads-transportid: ldaps
objectclass: ads-transport
objectclass: ads-tcpTransport
objectclass: ads-base
objectclass: top

You just have to send a ModifyRequest using such a LDIF :

dn: ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads
changetype: modify
replace: ads-systemport
ads-systemport: 10637

(here, we have modified the LDAPS Port from 10636 to 10637)

Those modification can be done directly on the config.ldif file, but you won’t have any syntax check if you do so.