--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" henson@acm.org wrote:
I'm testing openldap 2.5 in preparation for migration my production services, and I noticed that the 2.5 RPMs no longer create an ldap user and instead run slapd as root by default? Is this because they're no longer intended to replace the system bundled openldap packages? It seems undesirable from a security perspective to run slapd as root rather than a dedicated service account.
I see there's a note about updating the startup options to run as a service account here:
https://repo.symas.com/soldap/systemd/
but the ldap user/group used as an example won't exist unless the system RPMs or the 2.4 RPMs have been previously installed or the user is created manually.
If you want it to run as a non-root user, it's on you to configure it as such, including said user. The majority of Symas customers run as root. So yes, this is intentional and due to the fact that it's not attempting to be the replacement of the system bundled OpenLDAP. You're free to run things as best fits your environment.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com