[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Running slapd as a non-root user



On Wed, 30 Jan 2008, Bill Sterns wrote:

> I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b 
> and Berkeley DB 4.6.21, which I built and installed from source as root. 
> I'd like to be able to run slapd as a non-root user, as I've seen other 
> packaged OpenLDAP distributions do in the past. However, when I try to 
> run it as a non-root user, OpenLDAP does not have permission to access 
> various things, such as slapd.conf, the back-end database files, and the 
> directory to create its pid file when it starts up. I've tinkered with 
> the file/group ownership and permissions for these files, and I've 
> managed to get it running as a non-root user, but I'm not sure if this 
> is the ideal way to do it. Is there a recommended way to do this?

Start it as root, and use the "-u" and "-g" flags; this is the recommended 
(if not the only) way to do it.

[...]

> Am I going about this the right way? Is running OpenLDAP as a non-root 
> user a non-recommended thing to do when using an installation built from 
> source? And are there any other gotchas that might cause problems later? 
> One possible problem I can think of is if the database needs to be wiped 
> and recreated from a backed-up LDIF file using slapadd; if slapadd is 
> run as root, the permissions would have to be reset on the database 
> files before slapd could start up.

You won't be able to bind to port 389 as a non-root user.  There's also 
the matter of resource limits.

-- 
Dave Horsfall DTM VK2KFU  Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch)
Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU