>>> "Bliss, Aaron" <[email protected]> schrieb am 14.06.2022 um 17:03 in Nachricht <ch2pr02mb6216deb37f4834391976ff52fc...@ch2pr02mb6216.namprd02.prod.outlook.com>
> Carsten, > As a best practice whenever possible services in general should be ran > within the context of a user that has the least amount of privilege possible. > In this case, it's entirely supported and straightforward to configure > OpenLDAP to run as a non-privileged user and group and to further deploy > additional hardening on the user object such as setting the shell for that > user to /sbin/nologin, !! in /etc/shadow for the password field, etc. I.E. > systemd has long supported running services as a non-root user and again so > do modern versions of Symas OpenLDAP: > > https://repo.symas.com/soldap/systemd/ > > In a sense I would think that most enterprises would need to justify as to > why they wouldn't deploy OpenLDAP with the service configured to use a > non-privileged account. Maybe I should mention one pitfall: When using slapadd to create databases, better ran it as the user than runs slapd; otherwise they are owned by root, most likely ;-) > > Best, > Aaron > > -----Original Message----- > From: Carsten Jäckel <[email protected]> > Sent: Monday, June 13, 2022 9:15 AM > To: [email protected] > Subject: context of slapd service > > > Warning: This email is from outside the company. Be careful clicking links > or attachments. > > Hello experts, > > can you please give me some hints about best practice to run the slapd > service? > Is it advantageous to run the slapd with it's own service user/group (e. g. > ldap:ldap) or is it recommended to run slapd as root (as it seems to be > default)? > Can you tell me something about advantages/disadvantages of each > configuration? > > Thank you for your support, > > Carsten > > ---------------------------------------------------------------------- > The information contained in this message may be privileged, confidential > and protected from disclosure. If the reader of this message is not the > intended recipient, or an employee or agent responsible for delivering this > message to the intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is strictly > prohibited. If you have received this communication in error, please notify > your representative immediately and delete this message from your computer. > Thank you.
