Manualshelf

Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentNETSCAPE DIRECTORY SERVER 6.0
11121314151617181920
NOTE
When determining the port numbers you will use, verify that the specified port numbers are not
already in use by running a command like netstat.
If you are using ports below 1024, such as the default LDAP port (389), you must run the setup program
and start the servers as root. You do not, however, have to set the server user ID to root. When it
starts, the server binds and listens to its port as root, then immediately drops its privileges and runs as
the non-root server user ID. When the system restarts, the server is started as root by the init script.
The setuid(2) man page has detailed technical information.
Section 1.2.4, Directory Server User and Group has more information about the server user ID.
1.2.3. Firewall Considerations
The Directory Server instance may be on a different server or network than clients which need to access
it. For example, the Red Hat Certificate System subsystems require a Directory Server LDAP database to
store their certificate, key, and user information, but these servers do not need to be on the same
machine.
When installing Directory Server, make sure that you consider the location of the instance on the
network and that all firewalls, DMZs, and other network services allow the client to access the Directory
Server. T here are two considerations about using firewalls with Directory Server and directory clients:
Protecting sensitive subsystems from unauthorized access
Allowing appropriate access to other systems and clients outside of the firewall
Make sure that the firewalls allow access to the Directory Server secure (636) and standard (389)
ports, so that any clients which must access the Directory Server instance are able to contact it.
1.2.4. Directory Server User and Group
The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. T he default
UID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux. Red Hat strongly
recommends using this default value.
IMPORTANT
The same UID is used for both the Directory Server and the Admin Server by default, which
simplifies administration. If you choose a different UID for each server, those UIDs must both
belong to the group assigned to Directory Server.
For security reasons, Red Hat strongly discourages you from setting the Directory Server or Admin
Server user to root. If an attacker gains access to the server, he might be able to execute arbitrary
system commands as the root user. Using a non-privileged UID adds another layer of security.
Listening t o Restricted Ports as Unprivileged Users
Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and
any port number less than 1024), as long as the server is started by the root user or by init when
the system starts up. The server first binds and listens to the restricted port as root, then immediately
drops privileges to the non-root server UID. setuid(2) man page has detailed technical information.
Chapter 1. Preparing for a Directory Server Installation
11