Table of Contents
Advertisement
Chapter 1. Preparing for a Directory Server Installation
execute arbitrary system commands as the root user. Using a non-privileged UID adds another layer
of security.
Listening to Restricted Ports as Unprivileged Users
Even though port numbers less than 1024 are restricted, the LDAP server can listen to port 389 (and
any port number less than 1024), as long as the server is started by the root user or by init when
the system starts up. The server first binds and listens to the restricted port as root, then immediately
drops privileges to the non-root server UID.
Section 1.2.2, "Port Numbers"
1.2.5. Directory Manager
The Directory Server setup creates a special user called the Directory Manager. The Directory
Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The
Directory Manager is a special entry that does not have to conform to a Directory Server configured
suffix; additionally, access controls. password policy, and database limits for size, time, and look-
through limits do not apply to the Directory Manager. There is no directory entry for the Directory
Manager user; it is used only for authentication. You cannot create an actual Directory Server entry
that uses the same DN as the Directory Manager DN.
The Directory Server setup process prompts for a distinguished name (DN) and a password for the
Directory Manager. The default value for the Directory Manager DN is cn=Directory Manager. The
Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or
symbols.
1.2.6. Directory Administrator
The Directory Server setup also creates an administrator user specifically for Directory Server
and Administration Server server management, called the Directory Administrator. The Directory
Administrator is the "super user" that manages all Directory Server and Administration Server
instances through the Directory Server Console. Every Directory Server is configured to grant this user
administrative access.
There are important differences between the Directory Administrator and the Directory Manager:
• The administrator cannot create top level entries for a new suffix through an add operation. either
adding an entry in the Directory Server Console or using ldapadd, a tool provided with OpenLDAP.
Only the Directory Manager can add top-level entries by default. To allow other users to add top-
level entries, create entries with the appropriate access control statements in an LDIF file, and
perform an import or database initialization procedure using that LDIF file.
• Password policies do apply to the administrator, but you can set a user-specific password policy for
the administrator.
• Size, time, and look-through limits apply to the administrator, but you can set different resource
limits for this user.
The Directory Server setup process prompts for a username and a password for the Directory
Administrator. The default Directory Administrator username is admin. For security, the Directory
Administrator's password must not be the same as the Directory Manager's password.
2
http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz
4
setuid(2) man page
has more information on port numbers in Directory Server.
2
has detailed technical information.
Advertisement
Table of Contents
