On 19Oct21 18:17+0200, Michael Ströder wrote:
On 10/19/21 17:10, Quanah Gibson-Mount wrote:
--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" henson@acm.org wrote:
I'm testing openldap 2.5 in preparation for migration my production services, and I noticed that the 2.5 RPMs no longer create an ldap user and instead run slapd as root by default?
If you want it to run as a non-root user, it's on you to configure it as such, including said user. The majority of Symas customers run as root.
IMHO there's no good reason to let systemd start slapd as root.
+1
Binding to so-called "privileged ports" can be achieved by setting these options in the systemd unit:
Alternatively, the old way, slapd still supports -u/-g options.
Find below ae-slapd.service generated by Æ-DIR's ansible role.
Thanks. This is interesting. Just some comments inline:
[Unit] Description=AE-DIR OpenLDAP server Requires=local-fs.target network.target After=local-fs.target network.target
[Service] Type=simple Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4 Environment=LDAPNOINIT=1 PIDFile=/run/ae-dir/slapd/slapd.pid
still need a pidfile?
ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f /opt/ae-dir/etc/openldap/slapd.conf -h 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 ldaps://*:636' -o slp=off
listening plaintext on all interfaces might be discouraged.
WorkingDirectory=/run/ae-dir/slapd User=ae-dir-slapd Group=ae-dir-slapd CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
This is nice, I think about to adopt that and abandon -u/-g
LimitNOFILE=96
this could be too low, depending on use case. it limits nr of incoming connections.
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX # various hardening options from ansible var aedir_systemd_hardening
[...]
Cheers,