Changing port of OpenLdap on Centos installed with yum

Question

I am trying to change the default port of openldap (not so experienced with openldap so I might be doing something incorrectly).

Currently I am installing it through yum package manager on CentOS 7.1.1503 as follows :

yum install openldap-servers

After installing 'openldap-servers' I can start the openldap server by invoking service slapd start

however when I try to change the port by editing /etc/sysconfig/slapd for instance by changing SLAPD_URLS to the following : # OpenLDAP server configuration # see 'man slapd' for additional information

# Where the server will run (-h option)
# - ldapi:/// is required for on-the-fly configuration using client tools
#   (use SASL with EXTERNAL mechanism for authentication)
# - default: ldapi:/// ldap:///
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
SLAPD_URLS="ldapi:/// ldap://127.0.0.1:3421/"

# Any custom options
#SLAPD_OPTIONS=""

# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

(see SLAPD_URLS="ldapi:/// ldap://127.0.0.1:3421/" )..

it is failing to start

service slapd start
Redirecting to /bin/systemctl start  slapd.service
Job for slapd.service failed. See 'systemctl status slapd.service' and 'journalctl -xn' for details.



service slapd status
Redirecting to /bin/systemctl status  slapd.service
slapd.service - OpenLDAP Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/slapd.service; disabled)
   Active: failed (Result: exit-code) since Fri 2015-07-31 07:49:06 EDT; 10s ago
     Docs: man:slapd
           man:slapd-config
           man:slapd-hdb
           man:slapd-mdb
           file:///usr/share/doc/openldap-servers/guide.html
  Process: 41704 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=1/FAILURE)
  Process: 41675 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS)
 Main PID: 34363 (code=exited, status=0/SUCCESS)

Jul 31 07:49:06 osboxes runuser[41691]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes runuser[41693]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes runuser[41695]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes runuser[41697]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes runuser[41699]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes runuser[41701]: pam_unix(runuser:session): session opened for user ldap by (uid=0)
Jul 31 07:49:06 osboxes slapd[41704]: @(#) $OpenLDAP: slapd 2.4.39 (Mar  6 2015 04:35:49) $
                                              mockbuild@worker1.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/servers/slapd
Jul 31 07:49:06 osboxes systemd[1]: slapd.service: control process exited, code=exited status=1
Jul 31 07:49:06 osboxes systemd[1]: Failed to start OpenLDAP Server Daemon.
Jul 31 07:49:06 osboxes systemd[1]: Unit slapd.service entered failed state.

ps I also disabled firewalld

Answer 1

the solution was provided when I ran journalctl -xn which basically says:

SELinux is preventing /usr/sbin/slapd from name_bind access on the tcp_socket port 9312.

                                   *****  Plugin bind_ports (92.2 confidence) suggests   ************************

                                   If you want to allow /usr/sbin/slapd to bind to network port 9312
                                   Then you need to modify the port type.
                                   Do
                                   # semanage port -a -t ldap_port_t -p tcp 9312

                                   *****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

                                   If you want to allow nis to enabled
                                   Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
                                   You can read 'None' man page for more details.
                                   Do
                                   setsebool -P nis_enabled 1

                                   *****  Plugin catchall (1.41 confidence) suggests   **************************

                                   If you believe that slapd should be allowed name_bind access on the port 9312 tcp_socket by default.
                                   Then you should report this as a bug.
                                   You can generate a local policy module to allow this access.
                                   Do
                                   allow this access for now by executing:
                                   # grep slapd /var/log/audit/audit.log | audit2allow -M mypol
                                   # semodule -i mypol.pp