Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 185712 - Documentation should be clear about server user id
Documentation should be clear about server user id
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Retired
Component: wiki (Show other bugs)
1.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Deon Ballard
ecs-bugs
http://directory.fedora.redhat.com/wi...
: Documentation
Depends On:
Blocks: 152373 240316 FDS1.1.0
  Show dependency treegraph
 
Reported: 2006-03-16 20:34 EST by Mont Rothstein
Modified: 2012-06-21 19:14 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-21 19:14:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mont Rothstein 2006-03-16 20:34:54 EST
Description of problem:

In the Fedora Directory Server install docs is strongly suggests that FDS not be
run as root, and therefore that the default port not be used.  Following these
instructions the ldapsearch commands in the Howto:AdminServerLDAPMgmt need a -p
option with the user's chosen ldsp server port.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Rob Crittenden 2006-03-17 08:42:13 EST
Running as root and starting as root aren't the same thing.

In order to use a port < 1024 the server needs to start as root. Once the port
has been opened the server can drop root privileges and run as another user.
This is what is being recommended.
Comment 2 Mont Rothstein 2006-03-17 11:19:21 EST
I won't argure that what you describe is the way it should be done, I don't know
enough to have an opinion, but that isn't what the docs currently describe.

From:
http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.UNIQUE.PORT

"Directory Server must be run as root if it will listen on either port 389 or 636."

And then from:
http://www.redhat.com/docs/manuals/dir-server/install/7.1/sn.prepare.decide.html#SN.PREPARE.USER.GROUP

"For security reasons, it is always best to run production servers with normal
user privileges. That is, you do not want to run Directory Server with root
privileges. However, you will have to run Directory Server with root privileges
if you are using the default Directory Server ports."

These all use the term "run" and not "start" and implied to me that the default
port should not be used for production servers.  So, when I setup FDS I created
a dsuser account and picked a port > 1024.

Again, this may be a bug in the install doc more than the AdminServerLDAPMgmt
doc, but at this point the two conflict which causes pain for newbies like me.
Comment 3 Rich Megginson 2007-09-06 14:40:21 EDT
Not sure who owns the install guide, but we need to be very clear about this.
Comment 4 David O'Brien 2007-09-06 20:03:29 EDT
BrianC, can you make sure this is addressed in the Install Guide?
Comment 5 Red Hat Bugzilla 2007-10-02 21:14:45 EDT
User bcleary@redhat.com's account has been closed
Comment 7 Michael Hideo 2007-11-05 18:50:15 EST
Moving Status to 'Assigned'
Comment 8 Deon Ballard 2007-12-04 17:27:55 EST
This should be clarified in the 8.0 docs (cf. beta install guide):

"If you are using ports below 1024, such as the default LDAP port (389), you
must run the setup program and start the servers as root. You do not, however,
have to set the server user ID to root. When it starts, the server binds and
listens to its port as root, then immediately drops its privileges and runs as
the non-root server user ID. When the system restarts, the server is started as
root by the initscript. The setuid(2) man page has detailed technical information.

"Section 1.2.2, “Directory Server User and Group” has more information about the
server user ID."

See
http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html.
Comment 9 Deon Ballard 2011-05-19 14:43:23 EDT
Changing modifieds to ON_QA.
Comment 10 Andrew Ross 2011-05-19 16:47:30 EDT
(In reply to comment #8)
> This should be clarified in the 8.0 docs (cf. beta install guide):
> 
> "If you are using ports below 1024, such as the default LDAP port (389), you
> must run the setup program and start the servers as root. You do not, however,
> have to set the server user ID to root. When it starts, the server binds and
> listens to its port as root, then immediately drops its privileges and runs as
> the non-root server user ID. When the system restarts, the server is started as
> root by the initscript. The setuid(2) man page has detailed technical information.
> 

> "Section 1.2.2, “Directory Server User and Group” has more information about the
> server user ID."
> 
> See
> http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number.html.

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Preparing_for_a_Directory_Server_Installation-Considerations.html#Installation_Guide-Preparing_for_a_Directory_Server_Installation-Port_Number

Verified: Red_Hat_Directory_Server-Installation_Guide-8.0-web-en-US-8.0.5-5.el5
Comment 11 Deon Ballard 2012-06-21 19:14:56 EDT
Closing.

Note You need to log in before you can comment on or make changes to this bug.