The nss-ldapd package (package review at bug #491767) includes a daemon which can be run as an unprivileged user, and I'd like to reserve a uid and a gid for that user and its primary group. In my testing, there's no requirement that they be the same value, so I hope we can scare up a pair (uid 64, gid 31, would probably work).
This pair is not available, uid 64 already reserved by user condor, gid 31 already reserved by group console. What do you think about sharing gid with some existing group - e.g. group 55 (ldap) and share it with open-ldap? Reserved uid could be separate - there is plenty of free uid's left (e.g. 63). I checked available gid's and the only free is 16 (uidgid pair in fact available, 16/16
That's probably okay -- nothing the daemon accesses needs to be group-readable or -writable, it just needs to be part of _some_ group. My only concern would be for other packages which use the group for access control. For example slapd's configuration file is group-readable, and its contents would be readable from inside of nslcd should it be compromised somehow. But hey, it's better than nothing.
Will ask openldap maintainer tomorrow if such group sharing is suitable for him (I guess those packages are quite close to share group). If so, will assign uid 63 for "nslcd" user and you will add nss-ldap package to reservation of gid 55 "ldap" group.
Ok, consulted with open-ldap guys, they are generally ok with that group sharing. Added following reservation record to uidgid file(as I have seen you have chosen uid 65 in spec): username uid gid home shell package nslcd 65 (55) / /sbin/nologin nslcd Note: group 55 should be created as ldap to prevent troubles for open-ldap. Built as setup-2.8.2-2.fc11, closing RAWHIDE.