On 6/13/22 15:14, Carsten Jäckel wrote:
Is it advantageous to run the slapd with it's own service user/group (e. g. ldap:ldap) or is it recommended to run slapd as root (as it seems to be default)?
As with other service demons you should run it as non-root user.
Two options:
1. Use CLI args -u and -g when starting slapd as root to let it change user, see slapd(8).
2. Start slapd directly as non-privileged users. If it needs to bind on privileged port(s) (<1024) you have to give it the capability CAP_NET_BIND_SERVICE, see capabilities(7).
Furthermore on modern Linux systems you could use systemd sandboxing and SyscallFilter= (and set the capability above):
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxin...
As an example see systemd service unit of Æ-DIR's slapd service attached below.
Additionally you could use AppArmor or SELinux.
Ciao, Michael.
# /etc/systemd/system/ae-slapd.service #----------------------------------------------------------------------- # initiate: systemctl enable ae-slapd.service # start: systemctl start ae-slapd.service # get status: systemctl status ae-slapd.service # # Ansible managed: ansible-repo/master #-----------------------------------------------------------------------
[Unit] Description=AE-DIR OpenLDAP server Requires=local-fs.target network.target After=local-fs.target network.target Before=nss-user-lookup.target aehostd.service Wants=nss-user-lookup.target
[Service] Type=simple Environment=SASL_CONF_PATH=/opt/ae-dir/etc/openldap/sasl2.conf Environment=LDAPNOINIT=1 PIDFile=/run/ae-dir/slapd/slapd.pid ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 6 -f /opt/ae-dir/etc/openldap/slapd.conf -h 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 ldaps://*:636' -o slp=off WorkingDirectory=/run/ae-dir/slapd ReadWritePaths=/run/ae-dir/slapd /opt/ae-dir/slapd-db/accesslog /opt/ae-dir/slapd-db/um User=ae-dir-slapd Group=ae-dir-slapd CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE LimitNOFILE=2048 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # various hardening options from ansible var aedir_systemd_hardening StandardInput=null UMask=0077 PrivateUsers=no PrivateTmp=yes PrivateDevices=yes ProtectSystem=strict ProtectProc=invisible ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectKernelLogs=yes ProtectControlGroups=yes ProtectHostname=yes ProtectClock=yes NoNewPrivileges=yes MountFlags=private SystemCallArchitectures=native LockPersonality=yes KeyringMode=private RestrictRealtime=yes RestrictNamespaces=yes RestrictSUIDSGID=yes DevicePolicy=closed PrivateIPC=yes RemoveIPC=yes MemoryDenyWriteExecute=yes SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey @setuid @timer SystemCallLog=@clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey @setuid @timer AppArmorProfile=ae-slapd
[Install] WantedBy=multi-user.target