HP-UX Directory Server 8.1 installation guide
default. Alternatively, you can assign any port number between 1025 and 65535 for the Directory
Server and Administration Server ports; you are not required to use the defaults or the
randomly-generated ports.
NOTE:
Although the valid range of port numbers is 1 to 65535, do not assign a Directory Server port
number below 1024 (except 389 for LDAP, or 636 for LDAP with TLS/SSL). The Internet
Assigned Numbers Authority (IANA) has already assigned ports 1 to 1023 to common processes.
When determining the port numbers to use, verify that the specified port numbers are not already
in use by running a command like netstat.
For LDAPS (LDAP with TLS/SSL), the default port number is 636. The server can listen to both
the LDAP and LDAPS port at the same time. However, the setup script will not allow you to
configure TLS/SSL. To use LDAPS, assign the LDAP port number in the setup process, then
reconfigure the Directory Server to use the LDAPS port and the other TLS/SSL parameters
afterward. For information on how to configure LDAPS, see the HP-UX Directory Server
administrator guide.
The Administration Server runs on a web server, so it uses HTTP or HTTPS. However, unlike
the Directory Server, which can run on secure (LDAPS) and insecure (LDAP) ports at the same
time, the Administration Server cannot run over both HTTP and HTTPS simultaneously. The
setup script, setup-ds-admin.pl, does not allow you to configure the Administration Server
to use TLS/SSL. To use TLS/SSL (meaning HTTPS) with the Administration Server, first set up
the Administration Server to use HTTP, then reconfigure it to use HTTPS.
If you are using ports below 1024, such as the default LDAP port (389), you must run the setup
script and start the servers as root. However, you do not have to set the server user ID to root.
When the server starts, the server binds and listens to its port as root, then immediately drops
its privileges and runs as the non-root server user ID. When the system restarts, the server is
started as root by the init script. For more detailed technical information, see the setuid(2)
manpage.
For more information about the server user ID, see “Directory Server user and group” (page 8).
1.2.2 Directory Server user and group
The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The
default UID is a non-privileged (non-root) user, www. HP strongly recommends using this default
value. To simplify administration, you can use the same UID for both the Directory Server and
the Administration Server. If you choose a different UID for each server, these UIDs must belong
to the group assigned to Directory Server.
For security reasons, HP strongly discourages you from setting the Directory Server or
Administration Server user to root. If an attacker gains access to the server, he might be able
to execute arbitrary system commands as the root user. Using a non-privileged UID adds
another layer of security.
Listening to restricted ports as unprivileged users Even though port numbers less than 1024
are restricted, the LDAP server can listen to port 389 (and any port number less than 1024), as
long as the server is started by the root user or by init when the system starts up. The server
first binds and listens to the restricted port as root, then immediately drops privileges to the
non-root server UID. For more detailed technical information, see the setuid(2) manpage.
For more information on port numbers, see “Port numbers” (page 7).
1.2.3 Directory manager
The Directory Server setup creates a special user named the Directory Manager. The Directory
Manager is a unique, powerful entry that is used to administer all user and configuration tasks.
8 Preparing for a Directory Server installation