Firewall Considerations
3
setup-ds-admin.pl
, does not allow you to configure the Administration Server to use TLS/SSL. To
use TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Server
to use HTTP, then reconfigure it to use HTTPS.
NOTE
When determining the port numbers you will use, verify that the specified port numbers
are not already in use by running a command like
netstat
.
If you are using ports below
1024
, such as the default LDAP port (
389
), you must run the setup
program and start the servers as
root
. You do
not
, however, have to set the server user ID to
root
.
When it starts, the server binds and listens to its port as
root
, then immediately drops its privileges
and runs as the non-
root
server user ID. When the system restarts, the server is started as
root
by
the init script. The
setuid(2) man page
1
has detailed technical information.
Section 1.2.4, “Directory Server User and Group”
has more information about the server user ID.
1.2.3. Firewall Considerations
The Directory Server instance may be on a different server or network than clients which need to
access it. For example, the Red Hat Certificate System subsystems require a Directory Server LDAP
database to store their certificate, key, and user information, but these servers do not need to be on
the same machine.
When installing Directory Server, make sure that you consider the location of the instance on the
network and that all firewalls, DMZs, and other network services allow the client to access the
Directory Server. There are two considerations about using firewalls with Directory Server and
directory clients:
• Protecting sensitive subsystems from unauthorized access
• Allowing appropriate access to other systems and clients outside of the firewall
Make sure that the firewalls allow access to the Directory Server secure (
636
) and standard (
389
)
ports, so that any clients which must access the Directory Server instance are able to contact it.
1.2.4. Directory Server User and Group
The setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The default
UID is a non-privileged (non-root) user,
nobody
on Red Hat Enterprise Linux and
daemon
on HP-UX.
Red Hat strongly recommends using this default value.
IMPORTANT
The same UID is used for both the Directory Server and the Administration Server by
default, which simplifies administration. If you choose a different UID for each server,
those UIDs
must
both belong to the group assigned to Directory Server.
For security reasons, Red Hat strongly discourages you from setting the Directory Server or
Administration Server user to
root
. If an attacker gains access to the server, he might be able to
1
http://grove.ufl.edu/cgi-bin/webman?man2+setuid.2.gz