Hi! Wondering about "LimitNOFILE=96": Wouldn't that limit the open sockets (connections) as well?
Regards, Ulrich >>> Michael Ströder <[email protected]> schrieb am 19.10.2021 um 18:17 in Nachricht <[email protected]>: > On 10/19/21 17:10, Quanah Gibson-Mount wrote: >> --On Tuesday, October 19, 2021 1:00 AM -0700 "Paul B. Henson" >> <[email protected]> wrote: >> >>> I'm testing openldap 2.5 in preparation for migration my production >>> services, and I noticed that the 2.5 RPMs no longer create an ldap user >>> and instead run slapd as root by default? >> >> If you want it to run as a non-root user, it's on you to configure it as >> such, including said user. The majority of Symas customers run as root. > > IMHO there's no good reason to let systemd start slapd as root. > > Binding to so-called "privileged ports" can be achieved by setting these > options in the systemd unit: > > CapabilityBoundingSet=CAP_NET_BIND_SERVICE > AmbientCapabilities=CAP_NET_BIND_SERVICE > > Also it's good practice to use systemd's sandboxing options based on > Linux namespaces. Read about various options called Protect*= and > Private*= in systemd.exec(5). > > Nevertheless I also recommend to add a custom service account and set > ownership/permissions with a decent config management instead of adding > this to a RPM .spec or Debian package. > > Find below ae-slapd.service generated by Æ-DIR's ansible role. > > Ciao, Michael. > > # /etc/systemd/system/ae-slapd.service > #----------------------------------------------------------------------- > # initiate: systemctl enable ae-slapd.service > # start: systemctl start ae-slapd.service > # get status: systemctl status ae-slapd.service > # > # Ansible managed: ansible-homelan/master > #----------------------------------------------------------------------- > > [Unit] > Description=AE-DIR OpenLDAP server > Requires=local-fs.target network.target > After=local-fs.target network.target > > [Service] > Type=simple > Environment=LD_PRELOAD=/usr/lib64/libtcmalloc.so.4 > Environment=LDAPNOINIT=1 > PIDFile=/run/ae-dir/slapd/slapd.pid > ExecStart=/usr/lib64/slapd -d none -n ae-slapd -l LOCAL4 -s 7 -f > /opt/ae-dir/etc/openldap/slapd.conf -h > 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 > ldaps://*:636' -o slp=off > WorkingDirectory=/run/ae-dir/slapd > User=ae-dir-slapd > Group=ae-dir-slapd > CapabilityBoundingSet=CAP_NET_BIND_SERVICE > AmbientCapabilities=CAP_NET_BIND_SERVICE > LimitNOFILE=96 > RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX > # various hardening options from ansible var aedir_systemd_hardening > UMask=0077 > PrivateUsers=no > PrivateTmp=yes > PrivateDevices=yes > ProtectSystem=full > ProtectProc=invisible > ProtectHome=yes > ProtectKernelModules=yes > ProtectKernelTunables=yes > ProtectKernelLogs=yes > ProtectControlGroups=yes > ProtectHostname=yes > ProtectClock=yes > NoNewPrivileges=yes > MountFlags=private > SystemCallArchitectures=native > LockPersonality=yes > KeyringMode=private > RestrictRealtime=yes > RestrictNamespaces=yes > RestrictSUIDSGID=yes > DevicePolicy=closed > MemoryDenyWriteExecute=yes > SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount > @raw-io @reboot @swap @obsolete @chown @privileged @resources @pkey > @setuid @timer > AppArmorProfile=ae-slapd > > [Install] > WantedBy=multi-user.target
