Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentDIRECTORY SERVER 7.1 - GATEWAY CUSTOMIZATION
11121314151617181920
Section 2.2, “Directory Server User and Group” has more information about the server user ID.
2.2. Directory Server User and Group
The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The
default UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux and Solaris
and daemon on HP-UX. Red Hat strongly recommends using this default value. The same UID
can be used for both the Directory Server and the Administration Server, which simplifies
administration. If you choose a different UID for each server, those UIDs must both belong to
the group assigned to Directory Server.
For security reasons, Red Hat strongly discourages you from setting the Directory Server or
Administration Server user to root. If an attacker gains access to the server, he might be able
to execute arbitrary system commands as the root user. Using a non-privileged UID adds
another layer of security.
Listening to Restricted Ports as Unprivileged Users.
Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389
(and any port number less than 1024), as long as the server is started by the root user or by
init when the system starts up. The server first binds and listens to the restricted port as root,
then immediately drops privileges to the non-root server UID. setuid(2) man page
[http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz] has detailed technical
information.
Section 2.1, “Port Numbers” has more information on port numbers in Directory Server.
2.3. Directory Manager
The Directory Server setup creates a special user called the Directory Manager. The Directory
Manager is a unique, powerful entry that is used to administer all user and configuration tasks.
The Directory Manager is a special entry that does not have to conform to a Directory Server
configured suffix; additionally, access controls. password policy, and database limits for size,
time, and lookthrough limits do not apply to the Directory Manager. There is no directory entry
for the Directory Manager user; it is used only for authentication. You cannot create an actual
Directory Server entry that uses the same DN as the Directory Manager DN.
The Directory Server setup process prompts for a distinguished name (DN) and a password for
the Directory Manager. The default value for the Directory Manager DN is cn=Directory
Manager. The Directory Manager password must contain at least 8 characters which must be
ASCII letters, digits, or symbols.
2.4. Directory Administrator
The Directory Server setup also creates an administrator user specifically for Directory Server
and Administration Server server management, called the Directory Administrator. The Directory
Administrator is the "super user" that manages all Directory Server and Administration Server
instances through the Directory Server Console. Every Directory Server is configured to grant
Directory Server User and Group
3