Bug 185712

Summary: Documentation should be clear about server user id
Product: [Retired] 389 Reporter: Mont Rothstein <mont_rothstein>
Component: wikiAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: rcritten
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:14:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 240316, 427409    

Description Mont Rothstein 2006-03-17 01:34:54 UTC 
Description of problem:

In the Fedora Directory Server install docs is strongly suggests that FDS not be
run as root, and therefore that the default port not be used.  Following these
instructions the ldapsearch commands in the Howto:AdminServerLDAPMgmt need a -p
option with the user's chosen ldsp server port.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Rob Crittenden 2006-03-17 13:42:13 UTC 
Running as root and starting as root aren't the same thing.

In order to use a port < 1024 the server needs to start as root. Once the port
has been opened the server can drop root privileges and run as another user.
This is what is being recommended.
Comment 2 Mont Rothstein 2006-03-17 16:19:21 UTC 
I won't argure that what you describe is the way it should be done, I don't know
enough to have an opinion, but that isn't what the docs currently describe.

From:
http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.UNIQUE.PORT

"Directory Server must be run as root if it will listen on either port 389 or 636."

And then from:
http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.USER.GROUP

"For security reasons, it is always best to run production servers with normal
user privileges. That is, you do not want to run Directory Server with root
privileges. However, you will have to run Directory Server with root privileges
if you are using the default Directory Server ports."

These all use the term "run" and not "start" and implied to me that the default
port should not be used for production servers.  So, when I setup FDS I created
a dsuser account and picked a port > 1024.

Again, this may be a bug in the install doc more than the AdminServerLDAPMgmt
doc, but at this point the two conflict which causes pain for newbies like me.
Comment 3 Rich Megginson 2007-09-06 18:40:21 UTC 
Not sure who owns the install guide, but we need to be very clear about this.
Comment 4 David O'Brien 2007-09-07 00:03:29 UTC 
BrianC, can you make sure this is addressed in the Install Guide?
Comment 5 Red Hat Bugzilla 2007-10-03 01:14:45 UTC 
User bcleary's account has been closed
Comment 7 Michael Hideo 2007-11-05 23:50:15 UTC 
Moving Status to 'Assigned'
Comment 8 Deon Ballard 2007-12-04 22:27:55 UTC 
This should be clarified in the 8.0 docs (cf. beta install guide):

"If you are using ports below 1024, such as the default LDAP port (389), you
must run the setup program and start the servers as root. You do not, however,
have to set the server user ID to root. When it starts, the server binds and
listens to its port as root, then immediately drops its privileges and runs as
the non-root server user ID. When the system restarts, the server is started as
root by the initscript. The setuid(2) man page has detailed technical information.

"Section 1.2.2, “Directory Server User and Group” has more information about the
server user ID."

See
http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html.
Comment 9 Deon Ballard 2011-05-19 18:43:23 UTC 
Changing modifieds to ON_QA.
Comment 10 Andrew Ross 2011-05-19 20:47:30 UTC 
(In reply to comment #8)
> This should be clarified in the 8.0 docs (cf. beta install guide):
> 
> "If you are using ports below 1024, such as the default LDAP port (389), you
> must run the setup program and start the servers as root. You do not, however,
> have to set the server user ID to root. When it starts, the server binds and
> listens to its port as root, then immediately drops its privileges and runs as
> the non-root server user ID. When the system restarts, the server is started as
> root by the initscript. The setuid(2) man page has detailed technical information.
> 

> "Section 1.2.2, “Directory Server User and Group” has more information about the
> server user ID."
> 
> See
> http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html.

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Considerations.html#Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number

Verified: Red_Hat_Directory_Server-Installation_Guide-8.0-web-en-US-8.0.5-5.el5
Comment 11 Deon Ballard 2012-06-21 23:14:56 UTC 
Closing.