Choosing User and Group
For security reasons, it is always best to run UNIX-based production servers with normal user privileges. That is, you do not want to run Directory Server with root privileges. However, you will have to run Directory Server with root privileges if you are using the default Directory Server ports. If Directory Server is to be started by Administration Server, Administration Server must run either as root or as the same user as iPlanet Directory Server 5.1.
You must therefore decide what user accounts you will use for the following purposes.
-
The user and group under which you will run iPlanet Directory Server 5.1.
If you will not be running the iPlanet Directory Server 5.1 as root, it is strongly recommended that you create a user account for all iPlanet servers. You should not use any existing operating system account, and must not use the nobody account. Also you should create a common group for the iPlanet Directory Server 5.1 files; again, you must not use the nobody group
-
The user and group under which you will run Administration Server.
For configurations that use the default port numbers, this must be root. However, if you use ports over 1024, then you should create a user account for all iPlanet servers, and run Administration Server as this account.
As a security precaution, when Administration Server is being run as root, it should be shut it down when it is not in use.
You should use a common group for all iPlanet servers, such as gid iPlanet, to ensure that files can be shared between servers when necessary.
Before you can install iPlanet Directory Server 5.1 and Administration Server, you must make sure that the user and group accounts you will use exist on your system.
- © 2010, Oracle Corporation and/or its affiliates