Chapter 1. Preparing for a Directory Server Installation
4
execute arbitrary system commands as the
root
user. Using a non-privileged UID adds another layer
of security.
Listening to Restricted Ports as Unprivileged Users
Even though port numbers less than
1024
are restricted, the LDAP server can listen to port
389
(and
any port number less than
1024
), as long as the server is started by the
root
user or by
init
when
the system starts up. The server first binds and listens to the restricted port as
root
, then immediately
drops privileges to the non-root server UID.
setuid(2) man page
2
has detailed technical information.
Section 1.2.2, “Port Numbers”
has more information on port numbers in Directory Server.
1.2.5. Directory Manager
The Directory Server setup creates a special user called the
Directory Manager
. The Directory
Manager is a unique, powerful entry that is used to administer all user and configuration tasks. The
Directory Manager is a special entry that does not have to conform to a Directory Server configured
suffix; additionally, access controls. password policy, and database limits for size, time, and look-
through limits do not apply to the Directory Manager. There is no directory entry for the Directory
Manager user; it is used only for authentication. You cannot create an actual Directory Server entry
that uses the same DN as the Directory Manager DN.
The Directory Server setup process prompts for a distinguished name (DN) and a password for the
Directory Manager. The default value for the Directory Manager DN is
cn=Directory Manager
. The
Directory Manager password must contain at least 8 characters which must be ASCII letters, digits, or
symbols.
1.2.6. Directory Administrator
The Directory Server setup also creates an administrator user specifically for Directory Server
and Administration Server server management, called the
Directory Administrator
. The Directory
Administrator is the "super user" that manages all Directory Server and Administration Server
instances through the Directory Server Console. Every Directory Server is configured to grant this user
administrative access.
There are important differences between the Directory
Administrator
and the Directory
Manager
:
• The administrator cannot create top level entries for a new suffix through an add operation. either
adding an entry in the Directory Server Console or using
ldapadd
, a tool provided with OpenLDAP.
Only the Directory Manager can add top-level entries by default. To allow other users to add top-
level entries, create entries with the appropriate access control statements in an LDIF file, and
perform an import or database initialization procedure using that LDIF file.
• Password policies
do
apply to the administrator, but you can set a user-specific password policy for
the administrator.
• Size, time, and look-through limits apply to the administrator, but you can set different resource
limits for this user.
The Directory Server setup process prompts for a username and a password for the Directory
Administrator. The default Directory Administrator username is
admin
. For security, the Directory
Administrator's password must not be the same as the Directory Manager's password.
2
http://grove.ufl.edu/cgi-bin/webman?man2+setuid.2.gz