On 19Oct21 18:17+0200, Michael Ströder wrote: > On 10/19/21 17:10, Quanah Gibson-Mount wrote: > > --On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" > > <[email protected]> wrote: > > > > > I'm testing openldap 2.5 in preparation for migration my production > > > services, and I noticed that the 2.5 RPMs no longer create an ldap user > > > and instead run slapd as root by default? > > > > If you want it to run as a non-root user, it's on you to configure it as > > such, including said user. The majority of Symas customers run as root. > > IMHO there's no good reason to let systemd start slapd as root.
+1 > Binding to so-called "privileged ports" can be achieved by setting these > options in the systemd unit: Alternatively, the old way, slapd still supports -u/-g options. > Find below ae-slapd.service generated by Æ-DIR's ansible role. Thanks. This is interesting. Just some comments inline: > [Unit] > Description=AE-DIR OpenLDAP server > Requires=local-fs.target network.target > After=local-fs.target network.target > > [Service] > Type=simple > Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4 > Environment=LDAPNOINIT=1 > PIDFile=/run/ae-dir/slapd/slapd.pid still need a pidfile? > ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f > /opt/ae-dir/etc/openldap/slapd.conf -h > 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 > ldaps://*:636' -o slp=off listening plaintext on all interfaces might be discouraged. > WorkingDirectory=/run/ae-dir/slapd > User=ae-dir-slapd > Group=ae-dir-slapd > CapabilityBoundingSet=CAP_NET_BIND_SERVICE > AmbientCapabilities=CAP_NET_BIND_SERVICE This is nice, I think about to adopt that and abandon -u/-g > LimitNOFILE=96 this could be too low, depending on use case. it limits nr of incoming connections. > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX > # various hardening options from ansible var aedir_systemd_hardening > [...] Cheers, -- Bastian Tweddell Juelich Supercomputing Centre HPC in Neuroscience, HPS --------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior --------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------
