Thank you for the input Michael
Probably Shawn did not mean running slapd in the container as root or not.
I understood Shawn that he wrote: The container must not run as root, and must work without any special privileges.
Anyway you're absolutely free to use whatever command-line you'd like to start slapd (CMD) independent from the RPMs you're using.
I see. Yes, the container as non-priv user is best
- Must be able to add new modules/plugins. (probably outside the
container too) For example, we use bind-dyndb-ldap
bind-dyndb-ldap is a bind DNS server backend and not something the OpenLDAP project is responsible for. Does not make sense to add anything like this on a requirements list for an OpenLDAP server container.
Fair point. One can mount their own volumes to add anything extra. At least documenting this would be nice.
My only qualm about dockering openldap is the dependency to docker, but does not hurt to explore it.
There are various container run-times with different security properties. E.g. podman or sysbox allow to run other containers or systemd inside an unprivileged container.
Ciao, Michael. (also not a container expert)
True. I mentioned docker simply because it's one of the most popular right now.
Thanks!