directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: [ApacheDS 1.5.1] try to start default partition on Linux with port 389
Date Fri, 05 Oct 2007 15:51:41 GMT
On 10/5/07, Chris Custine <ccustine@apache.org> wrote:
>
> Hi Markus,
> You have a couple of options and which one to use depends on what level of
> security you want.  If you are OK with running the server as root, then
> you
> simply add change the RUN_AS_USER variable in the /etc/init.d/apacheds
> script.  After looking at your question I realized that this is not easily
> changed on a per instance basis so I have added an issue to Jira to make
> this more flexible in a future release.  If you change it here, all
> instances will run as the same userid.
>
> https://issues.apache.org/jira/browse/DIRSERVER-1084
>
> The second option is to use iptables to route the ports.  This is by far
> more secure since you can still run the server on any port as an
> unprivileged user and receive requests on port 389.  Here are the full
> iptables commands to test from the command line (you may have to change
> the
> eth0 interface name).  The second command is only necessary if you have
> clients running locally that you want to redirect on localhost, the first
> one handles the public interface.
>
> iptables -t nat -A PREROUTING -p tcp --dport 389 -i eth0 -j REDIRECT
> --to-port 10389
> iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT
> --to-port 10389
>
> I hope this helps, and let us know if you have any issues with this.  This
> would make a good FAQ item so I will try to add this to some docs.
>

I like this tactic here. Is there some way to give a non-root user the
ability to
bind to ports below 1024 on UNIX?  I looked for this once before but never
found
a way.

Alex

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message