"Bliss, Aaron" abliss1@paychex.com schrieb am 14.06.2022 um 17:03 in
Nachricht CH2PR02MB6216DEB37F4834391976FF52FCAA9@CH2PR02MB6216.namprd02.prod.outlook.com
Carsten, As a best practice whenever possible services in general should be ran within the context of a user that has the least amount of privilege
possible.
In this case, it's entirely supported and straightforward to configure OpenLDAP to run as a non-privileged user and group and to further deploy additional hardening on the user object such as setting the shell for that user to /sbin/nologin, !! in /etc/shadow for the password field, etc. I.E.
systemd has long supported running services as a non-root user and again so
do modern versions of Symas OpenLDAP:
https://repo.symas.com/soldap/systemd/
In a sense I would think that most enterprises would need to justify as to why they wouldn't deploy OpenLDAP with the service configured to use a non-privileged account.
Maybe I should mention one pitfall: When using slapadd to create databases, better ran it as the user than runs slapd; otherwise they are owned by root, most likely ;-)
Best, Aaron
-----Original Message----- From: Carsten Jäckel carsten.jaeckel@tu-dortmund.de Sent: Monday, June 13, 2022 9:15 AM To: openldap-technical@openldap.org Subject: context of slapd service
Warning: This email is from outside the company. Be careful clicking links or attachments.
Hello experts,
can you please give me some hints about best practice to run the slapd service? Is it advantageous to run the slapd with it's own service user/group (e. g.
ldap:ldap) or is it recommended to run slapd as root (as it seems to be default)? Can you tell me something about advantages/disadvantages of each configuration?
Thank you for your support,
Carsten
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer.
Thank you.