Description of problem:
It is common to see LDAP servers that need to bind to the standard LDAP and
LDAPS ports (389/636). Currently, this is requires that slapd be run as root, in
order to be able to bind to these ports. Also any watchdog scripts have to 
run as root, and this ends up cascading root access dependencies into other 
areas as well.

This is not specific to LDAP, the concern exists for any server that wants to
bind to "privileged" ports as a non-root user.

Thankfully, this seems pretty easy to resolve. This patch seems to resolve the
situation:

--- /usr/src/linux/include/linux/capability.h	2005-03-02 07:37:50.000000000 +0000
+++ /usr/src/linux/include/linux/capability.h	2005-08-28 00:12:43.150862450 +0100
@@ -311,8 +311,8 @@
 
 #define CAP_EMPTY_SET       to_cap_t(0)
 #define CAP_FULL_SET        to_cap_t(~0)
-#define CAP_INIT_EFF_SET    to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
-#define CAP_INIT_INH_SET    to_cap_t(0)
+#define CAP_INIT_EFF_SET    to_cap_t(~0)
+#define CAP_INIT_INH_SET    to_cap_t(~0)
 
 #define CAP_TO_MASK(x) (1 << (x))
 #define cap_raise(c, flag)   (cap_t(c) |=  CAP_TO_MASK(flag))
--- /usr/src/linux/net/ipv4/devinet.c	2005-03-02 07:37:50.000000000 +0000
+++ /usr/src/linux/net/ipv4/devinet.c	2005-08-28 00:14:09.527835038 +0100
@@ -1232,7 +1232,7 @@
 			.procname	= "mc_forwarding",
 			.data		= &ipv4_devconf.mc_forwarding,
 			.maxlen		= sizeof(int),
-			.mode		= 0444,
+			.mode		= 0644,
 			.proc_handler	= &proc_dointvec,
 		},
 		{

It would seem like this patch might be all that is needed to enable 
setting CAP_NET_BIND_SERVICE to allow binding ports less than 1024.

If there is a more optimal way to achieve this functionality, I'm 
certainly open to other approaches as well. I'm just looking for 
something that will work. It will definitely 
reduce unnecessary risk exposure and decrease operations complexity for many
end-users.