Probably Shawn did not mean running slapd in the container as root or not.
I understood Shawn that he wrote: The container must not run as root,
and must work without any special privileges.
Anyway you're absolutely free to use whatever command-line you'd like to
start slapd (CMD) independent from the RPMs you're using.
I see. Yes, the container as non-priv user is best
> 3. Must be able to add new modules/plugins. (probably outside the
> container too) For example, we use bind-dyndb-ldap
bind-dyndb-ldap is a bind DNS server backend and not something the
OpenLDAP project is responsible for. Does not make sense to add anything
like this on a requirements list for an OpenLDAP server container.
Fair point. One can mount their own volumes to add anything extra. At least documenting this would be nice.
> My only qualm about dockering openldap is the dependency to docker, but
> does not hurt to explore it.
There are various container run-times with different security
properties. E.g. podman or sysbox allow to run other containers or
systemd inside an unprivileged container.
Ciao, Michael. (also not a container expert)
True. I mentioned docker simply because it's one of the most popular right now.
Thanks!