[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd 2.2.24 will not start as non root user

To: "Brett @Google" <brett.maxfield@gmail.com>
Subject: Re: slapd 2.2.24 will not start as non root user
From: "Iain M Conochie" <iain@shihad.org>
Date: Tue, 1 Mar 2011 13:30:45 -0000 (UTC)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <AANLkTi=71HfMdfiyTpJsSQ2iCTFz=9Hnnm6DrCTZVGGk@mail.gmail.com>
References: <12984.213.253.31.220.1298564708.squirrel@www.shihad.org> <AANLkTimRkr2gAvw+FOEWx06GpJ2Rh_yf=cLqE_h8ApCY@mail.gmail.com> <13099.213.253.31.220.1298975458.squirrel@www.shihad.org> <AANLkTi=71HfMdfiyTpJsSQ2iCTFz=9Hnnm6DrCTZVGGk@mail.gmail.com>
User-agent: SquirrelMail/1.4.10a

> On Tue, Mar 1, 2011 at 8:30 PM, Iain M Conochie <iain@shihad.org> wrote:
>
>> > Does ldap://XXXXX.XXXXXXXX.XXX have a port >= 1024 at the end ?
>>
>> Nope
>>
>> >
>> > If default of 389,  must be root to listen.
>>
>> Interesting....
>>
>>
>> ps -ef |grep slapd
>> ldap     30749     1  0 10:23 ?        00:00:00
>> /opt/openldap/libexec/slapd -u ldap -g ldap -h ldap://XXXX02.XXXXXX.org
>> ldaps://XXXX02.XXXXXX.org
>>
>> netstat -anlp|grep slapd
>> tcp        0      0 192.168.1.36:389        0.0.0.0:*
>> LISTEN
>>     30749/slapd
>> tcp        0      0 192.168.1.36:636        0.0.0.0:*
>> LISTEN
>>     30749/slapd
>>
>> This is with version 2.4.13, which as you can see is running as user
>> ldap
>> and bound to 2 ports < 1024
>>
>
> A process that starts as root can choose to give up it's root permission
> after
> binding the privileged port, and switch to a given userid/group. I presume
> slapd switches to user "ldap", you don't need to be privileged to accept
> connections once the privileged listening socket has been bound by root.

Yup

>
> As a security feature, once the process gives up root permissions, it
> cannot
> get
> them back, but it can still use the socket previously bound by root as it
> keeps
> a reference to the socket so it can listen on it for connections.

Naturally. The reason I want to run slapd as user "ldap" is for this
reason. If I do not have to run something as root I do not :)

>
>
>> So slapd is able to start and bind to the port. I though this used a
>> mechanism like that of apache whereby the daemon starts as root and then
>> binds to the ports, then drops the privileges to the non-root user, or
>> am
>> I missing something?
>>
>
> Nope. Apache needs to start as root if listen port <1024, it then gives up
> it's
> permission for the worker threads that actually do the work. The session
> leader
> still runs as root, but it does not do any actual work but manage the
> non-root
> children.
>
<snip some very useful info I will look at later>

Well - I have managed to get 2.4.23 working starting as root and using the
-g and -u options to actually run as user ldap. 2.4.24 was NOT able to do
that giving the error above. Since I have a working version now I am
pretty happy.

However the error that 2.4.24 gives seems bizarre. I can do more testing
on this if you want further info; perhaps slapd is unable to find the user
ldap?

Thanks for your help

Cheers

Iain

>
> Cheers
> Brett
>

Follow-Ups:
- Re: slapd 2.2.24 will not start as non root user
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: slapd 2.2.24 will not start as non root user
  - From: "Brett @Google" <brett.maxfield@gmail.com>
- Re: slapd 2.2.24 will not start as non root user
  - From: "Iain M Conochie" <iain@shihad.org>
- Re: slapd 2.2.24 will not start as non root user
  - From: "Brett @Google" <brett.maxfield@gmail.com>

Prev by Date: Re: slapd 2.2.24 will not start as non root user
Next by Date: multiple certificates on one LDAP server
Index(es):
- Chronological
- Thread