On 10/19/21 17:10, Quanah Gibson-Mount wrote:
--On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson"
<[email protected]> wrote:
I'm testing openldap 2.5 in preparation for migration my production
services, and I noticed that the 2.5 RPMs no longer create an ldap user
and instead run slapd as root by default?
If you want it to run as a non-root user, it's on you to configure it as
such, including said user. The majority of Symas customers run as root.
IMHO there's no good reason to let systemd start slapd as root.
Binding to so-called "privileged ports" can be achieved by setting these
options in the systemd unit:
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
Also it's good practice to use systemd's sandboxing options based on
Linux namespaces. Read about various options called Protect*= and
Private*= in systemd.exec(5).
Nevertheless I also recommend to add a custom service account and set
ownership/permissions with a decent config management instead of adding
this to a RPM .spec or Debian package.
Find below ae-slapd.service generated by Æ-DIR's ansible role.
Ciao, Michael.
# /etc/systemd/system/ae-slapd.service
#-----------------------------------------------------------------------
# initiate: systemctl enable ae-slapd.service
# start: systemctl start ae-slapd.service
# get status: systemctl status ae-slapd.service
#
# Ansible managed: ansible-homelan/master
#-----------------------------------------------------------------------
[Unit]
Description=AE-DIR OpenLDAP server
Requires=local-fs.target network.target
After=local-fs.target network.target
[Service]
Type=simple
Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4
Environment=LDAPNOINIT=1
PIDFile=/run/ae-dir/slapd/slapd.pid
ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f
/opt/ae-dir/etc/openldap/slapd.conf -h
'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389
ldaps://*:636' -o slp=off
WorkingDirectory=/run/ae-dir/slapd
User=ae-dir-slapd
Group=ae-dir-slapd
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=96
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# various hardening options from ansible var aedir_systemd_hardening
UMask=0077
PrivateUsers=no
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectProc=invisible
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
NoNewPrivileges=yes
MountFlags=private
SystemCallArchitectures=native
LockPersonality=yes
KeyringMode=private
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
DevicePolicy=closed
MemoryDenyWriteExecute=yes
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount
@raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey
@setuid @timer
AppArmorProfile=ae-slapd
[Install]
WantedBy=multi-user.target
