default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory Server and Administration Server ports; you are not required to use the defaults or the randomly-generated ports.

NOTE:

Although the valid range of port numbers is 1 to 65535, do not assign a Directory Server port number below 1024 (except 389 for LDAP, or 636 for LDAP with TLS/SSL). The Internet Assigned Numbers Authority (IANA) has already assigned ports 1 to 1023 to common processes.

When determining the port numbers to use, verify that the specified port numbers are not already in use by running a command like netstat.

For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both the LDAP and LDAPS port at the same time. However, the setup script will not allow you to configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then reconfigure the Directory Server to use the LDAPS port and the other TLS/SSL parameters afterward. For information on how to configure LDAPS, see the HP-UX Directory Server administrator guide.

The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike the Directory Server, which can run on secure (LDAPS) and insecure (LDAP) ports at the same time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The setup script, setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server to use HTTP, then reconfigure it to use HTTPS.

If you are using ports below 1024, such as the default LDAP port (389), you must run the setup script and start the servers as root. However, you do not have to set the server user ID to root. When the server starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as the non-rootserver user ID. When the system restarts, the server is started as root by the init script. For more detailed technical information, see the setuid(2) manpage.

For more information about the server user ID, see “Directory Server user and group” (page 8).

1.2.2 Directory Server user and group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID is a non-privileged (non-root) user, www. HP strongly recommends using this default value. To simplify administration, you can use the same UID for both the Directory Server and the Administration Server. If you choose a different UID for each server, these UIDs must belong to the group assigned to Directory Server.

For security reasons, HP strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to restricted ports as unprivileged users Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by init when the system starts up. The server first binds and listens to the restricted port as root, then immediately drops privileges to the non-root server UID. For more detailed technical information, see the setuid(2) manpage.

For more information on port numbers, see “Port numbers” (page 7).1.2.3 Directory manager

The Directory Server setup creates a special user named the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks.

8Preparing for a Directory Server installation