Firewall Considerations3setup-ds-admin.pl, does not allow you to configure the Administration Server to use TLS/SSL. Touse TLS/SSL (meaning HTTPS) with the Administration Server, first set up the Administration Serverto use HTTP, then reconfigure it to use HTTPS.NOTEWhen determining the port numbers you will use, verify that the specified port numbersare not already in use by running a command like netstat.If you are using ports below 1024, such as the default LDAP port (389), you must run the setupprogram and start the servers as root. You do not, however, have to set the server user ID to root.When it starts, the server binds and listens to its port as root, then immediately drops its privilegesand runs as the non-root server user ID. When the system restarts, the server is started as root bythe init script. The setuid(2) man page1 has detailed technical information.Section 1.2.4, “Directory Server User and Group” has more information about the server user ID.1.2.3. Firewall ConsiderationsThe Directory Server instance may be on a different server or network than clients which need toaccess it. For example, the Red Hat Certificate System subsystems require a Directory Server LDAPdatabase to store their certificate, key, and user information, but these servers do not need to be onthe same machine.When installing Directory Server, make sure that you consider the location of the instance on thenetwork and that all firewalls, DMZs, and other network services allow the client to access theDirectory Server. There are two considerations about using firewalls with Directory Server anddirectory clients:• Protecting sensitive subsystems from unauthorized access• Allowing appropriate access to other systems and clients outside of the firewallMake sure that the firewalls allow access to the Directory Server secure (636) and standard (389)ports, so that any clients which must access the Directory Server instance are able to contact it.1.2.4. Directory Server User and GroupThe setup process sets a user ID (UID) and group ID (GID) as which the servers will run. The defaultUID is a non-privileged (non-root) user, nobody on Red Hat Enterprise Linux and daemon on HP-UX.Red Hat strongly recommends using this default value.IMPORTANTThe same UID is used for both the Directory Server and the Administration Server bydefault, which simplifies administration. If you choose a different UID for each server,those UIDs must both belong to the group assigned to Directory Server.For security reasons, Red Hat strongly discourages you from setting the Directory Server orAdministration Server user to root. If an attacker gains access to the server, he might be able to1 http://grove.ufl.edu/cgi-bin/webman?SEARCH+man2+setuid.2.gz