Monday, January 10, 2022

[389-users] Re: Running dscontainer as a non-root user

Hi Steve,

If I remember rightly, by default the server is started as root (to be able to open the listening ports) then switch to nsslapd-localuser (which is usually not privileged) 

That said, I routinely run 389ds directly as a non-root user (mostly for development and debugging purposes) so it is possible to do it.
There is a bit more than what you listed but not much. (I do not change the instance configuration files but rather directly the template files ( defaults.inf for the user and paths and  template-dse*.ldif to disable by default some plugins) then I create new instances with dscreate as usual:
  1.  Make sure to use non privileged port when creating instance
  2. Modify the defaults.inf to change the paths towards writable (by the user) directories (beware of path loke /run or /var/run )
Most functionalities work fine but it may be possible that some plugins interacting with external components do not. 
For my part I had to disable pwdchan-plugin from the template-dse*.ldif but that is more likely because I use a custom build without RUST rather than the fact I start the server while logged in with an unprivileged user. 

Have fun ! 

On Mon, Jan 10, 2022 at 8:52 AM Steve F <> wrote:

Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering if there is support to run as a non-root user?

It is as simple as chown'ing the files to a non privileged user, updating nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged user?

Or will this break some other functionality?

389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:


389 Directory Server Development Team

No comments:

Post a Comment