--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson"
<[email protected]> wrote:
I'm testing openldap 2.5 in preparation for migration my production
services, and I noticed that the 2.5 RPMs no longer create an ldap user
and instead run slapd as root by default? Is this because they're no
longer intended to replace the system bundled openldap packages? It
seems undesirable from a security perspective to run slapd as root
rather than a dedicated service account.
I see there's a note about updating the startup options to run as a
service account here:
https://repo.symas.com/soldap/systemd/
but the ldap user/group used as an example won't exist unless the system
RPMs or the 2.4 RPMs have been previously installed or the user is
created manually.
If you want it to run as a non-root user, it's on you to configure it as
such, including said user. The majority of Symas customers run as root.
So yes, this is intentional and due to the fact that it's not attempting to
be the replacement of the system bundled OpenLDAP. You're free to run
things as best fits your environment.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
