On Wed, 30 Jan 2008, Bill Sterns wrote:
I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b and Berkeley DB 4.6.21, which I built and installed from source as root. I'd like to be able to run slapd as a non-root user, as I've seen other packaged OpenLDAP distributions do in the past. However, when I try to run it as a non-root user, OpenLDAP does not have permission to access various things, such as slapd.conf, the back-end database files, and the directory to create its pid file when it starts up. I've tinkered with the file/group ownership and permissions for these files, and I've managed to get it running as a non-root user, but I'm not sure if this is the ideal way to do it. Is there a recommended way to do this?
Start it as root, and use the "-u" and "-g" flags; this is the recommended (if not the only) way to do it.
[...]
Am I going about this the right way? Is running OpenLDAP as a non-root user a non-recommended thing to do when using an installation built from source? And are there any other gotchas that might cause problems later? One possible problem I can think of is if the database needs to be wiped and recreated from a backed-up LDIF file using slapadd; if slapadd is run as root, the permissions would have to be reset on the database files before slapd could start up.
You won't be able to bind to port 389 as a non-root user. There's also the matter of resource limits.