We are in the midst of a migration from the solaris 10/sparc platform to rhel/x86_64. We currently run DPS under a non-privileged account on the default ports using the Solaris 10 net_privaddr functionality.
Is it possible to use setcap in RHEL5 to allow a non-privileged account to bind to ports 389, 636 to run DPS? If so does just the java binary under the DPS installation path /.../11g/dsee7/jre/64/bin/java need to be given permission to bind to all ports? Finally, is this even recommended for DPS on the Linux platform?
I've never personally tested that but adding cap_net_bind capability to both the permitted and effective sets for the actual program file, in your case the Java interpreter you mentionned (Actual program file means the final binary, not a symlink) should do the trick.
command would be similar to sudo /sbin/setcap 'cap_net_bind_service=ep' <yourpath>/bin/java
Obviously any Java program using that interpreter can then bind to any port.
My 2 cents
Yes this works since 11g (220.127.116.11.0) only. You can decide to run dps as foo and start it as root. The process will bind to the low tcp port as root then switch to foo.
You can use either the root credentials or the foo credentials to manage the instance via dscc.
So in 18.104.22.168.0 I can unregister the instance and change the port to 389 and then use sudo to start / stop dps?
If using sudo would the sudoer only need permissions to /install_root/dsee7/bin/dpadm ?
Actually I doubled check and there is still one issue with 22.214.171.124.0:
If you start dpadm as root, you can log as the original user and administer dps via dscc. However you won't be able to (re)start it from the console if you don't log as root. So it might maye administration tricky.