Directory Server User and Group

Section 2.2, “Directory Server User and Group” has more information about the server user ID.

2.2. Directory Server User and Group

The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux and Solaris and daemon on HP-UX. Red Hat strongly recommends using this default value. The same UID can be used for both the Directory Server and the Administration Server, which simplifies administration. If you choose a different UID for each server, those UIDs must both belong to the group assigned to Directory Server.

For security reasons, Red Hat strongly discourages you from setting the Directory Server or Administration Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer of security.

Listening to Restricted Ports as Unprivileged Users.

Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as long as the server is started by the root user or by init when the system starts up. The server first binds and listens to the restricted port as root, then immediately drops privileges to the non-root server UID. setuid(2) man page2 has detailed technical information.

Section 2.1, “Port Numbers” has more information on port numbers in Directory Server.

2.3. Directory Manager

The Directory Server setup creates a special user called the Directory Manager. The Directory Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The Directory Manager is a special entry that does not have to conform to a Directory Server configured suffix; additionally, access controls. password policy, and database limits for size, time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry for the Directory Manager user; it is used only for authentication. You cannot create an actual Directory Server entry that uses the same DN as the Directory Manager DN.

The Directory Server setup process prompts for a distinguished name (DN) and a password for the Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or symbols.

2.4. Directory Administrator

The Directory Server setup also creates an administrator user specifically for Directory Server and Administration Server server management, called the Directory Administrator. The Directory Administrator is the "super user" that manages all Directory Server and Administration Server

2http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz

3

Page 13
Image 13
HP UX Red Hat Direry Server Software manual Directory Server User and Group, Directory Manager, Directory Administrator