A process that starts as root can choose to give up it's root permission after
binding the privileged port, and switch to a given userid/group. I presume
slapd switches to user "ldap", you don't need to be privileged to accept
connections once the privileged listening socket has been bound by root.

As a security feature, once the process gives up root permissions, it cannot get
them back, but it can still use the socket previously bound by root as it keeps
a reference to the socket so it can listen on it for connections.
 

Nope. Apache needs to start as root if listen port <1024, it then gives up it's
permission for the worker threads that actually do the work. The session leader
still runs as root, but it does not do any actual work but manage the non-root
children.

Re: apache non-root here is a link you might be interested in :

http://jsdelfino.blogspot.com/2010/03/binding-to-port-80-without-running-as.html

It is a small program which takes a root-owned port and redirects the traffic to
an unprivileged port. I don't see the point myself, but it might be good for people
that have high security requirements (or are happily paranoid).

For me, something like iptables (forward) / rinetd (but another program) might be
just as good, and this would work for both apache and slapd.

Once the FORWARD rule is configured (by root) in iptables, you could then run
your server process on any non-privileged port and could run it as a non-root
user and start / stop / manage it as a non-root user.

The incoming 80/389 connection would be redirected to port 50080,50389 or
something like that, which would be where your non-root server process listens.