2 Replies Latest reply on Jul 22, 2013 9:47 AM by 937681

    start ds as non root on privileged port


      Sun-Directory-Server/ B2013.0109.2015 (64-bit) running on

      Red Hat 6 (Linux 2.6.32-358.el6.x86_64)


      All DS instances as well as DSCC agents and the DSCC registry run as non root.

      We cannot start DS (using privileged ports 389,636) via DSCC:


      The error message is /sunone/dsee7/bin/dsadm: error while loading shared libraries: libldap60.so: cannot open shared object file: No such file or directory


      We used:

      setcap CAP_NET_BIND_SERVICE=+ep /sunone/dsee7/bin/dsadm # to allow privileged ports


      Even setting LD_LIBRARY_PATH=/sunone/dsee7/lib/private/ (which contains the required libldap60.so) does not change the behaviour.


      Starting on the command line as non root gives exactly the same error (libldap60.so No such file or directory).

      Starting as root works.



      Michael Gsandtner

        • 1. Re: start ds as non root on privileged port
          1. Switch to root user and execute the below commands

          This uses iptables to route the request from port 389 to 1389...The ds still runs on non - priv port. This is only a work around though

          # iptables --append PREROUTING --table nat --protocol tcp --dport 389 --jump REDIRECT --to-port 1389

            # iptables -t nat -A OUTPUT -p tcp --dport 389 -j DNAT --to :1389

          • 2. Re: start ds as non root on privileged port

            We have solved as follows:

            agent now runs as root (and can listen on privileged ports).

            There are two different properties:

            agent-username=root in var/dcc/agent/config/conf.txt; user running agent

            agentowner:slapd in registry entry of agent (cn=Agents,cn=dscc); user running directory server


            You need an agent whose agentowner matches server's instanceowner (cn=Servers,cn=dscc). Otherwise you cannot restart server or manage certificates via DSCC.