Carsten, As a best practice whenever possible services in general should be ran within the context of a user that has the least amount of privilege possible. In this case, it's entirely supported and straightforward to configure OpenLDAP to run as a non-privileged user and group and to further deploy additional hardening on the user object such as setting the shell for that user to /sbin/nologin, !! in /etc/shadow for the password field, etc. I.E. systemd has long supported running services as a non-root user and again so do modern versions of Symas OpenLDAP:
https://repo.symas.com/soldap/systemd/
In a sense I would think that most enterprises would need to justify as to why they wouldn't deploy OpenLDAP with the service configured to use a non-privileged account.
Best, Aaron
-----Original Message----- From: Carsten Jäckel carsten.jaeckel@tu-dortmund.de Sent: Monday, June 13, 2022 9:15 AM To: openldap-technical@openldap.org Subject: context of slapd service
Warning: This email is from outside the company. Be careful clicking links or attachments.
Hello experts,
can you please give me some hints about best practice to run the slapd service? Is it advantageous to run the slapd with it's own service user/group (e. g. ldap:ldap) or is it recommended to run slapd as root (as it seems to be default)? Can you tell me something about advantages/disadvantages of each configuration?
Thank you for your support,
Carsten
---------------------------------------------------------------------- The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.