[Date Prev][Date Next]
Re: Running slapd as a non-root user
On Wed, 30 Jan 2008, Bill Sterns wrote:
> I'm currently running OpenLDAP 2.4.6 using SSL/TLS via OpenSSL 0.9.8b
> and Berkeley DB 4.6.21, which I built and installed from source as root.
> I'd like to be able to run slapd as a non-root user, as I've seen other
> packaged OpenLDAP distributions do in the past. However, when I try to
> run it as a non-root user, OpenLDAP does not have permission to access
> various things, such as slapd.conf, the back-end database files, and the
> directory to create its pid file when it starts up. I've tinkered with
> the file/group ownership and permissions for these files, and I've
> managed to get it running as a non-root user, but I'm not sure if this
> is the ideal way to do it. Is there a recommended way to do this?
Start it as root, and use the "-u" and "-g" flags; this is the recommended
(if not the only) way to do it.
> Am I going about this the right way? Is running OpenLDAP as a non-root
> user a non-recommended thing to do when using an installation built from
> source? And are there any other gotchas that might cause problems later?
> One possible problem I can think of is if the database needs to be wiped
> and recreated from a backed-up LDIF file using slapadd; if slapadd is
> run as root, the permissions would have to be reset on the database
> files before slapd could start up.
You won't be able to bind to port 389 as a non-root user. There's also
the matter of resource limits.
Dave Horsfall DTM VK2KFU Ph: +61 2 9552-5509 (direct) +61 2 9552-5500 (switch)
Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU