How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I make DS (All versions) listen on port 636 or 389 without being root?

Last updated Jun 10, 2021

The purpose of this article is to provide guidance on running DS as an unprivileged user while listening on a privileged port: 636 (LDAPS) and 389 (LDAP).


Overview

It is considered best practice on Unix® based systems to avoid running services as root, as any security vulnerabilities in the service could then lead to the root account being compromised. DS's startup script lets the service be run as an administrator defined user, for example "opendj".

Unix operating systems prevent non-root users from listening on TCP/IP sockets below 1024. It is desirable to run DS listening on the standard ports of 636 (LDAPS) and 389 (LDAP), but running as a non-root user would seem to prevent this.

This article offers some solutions for different supported operating systems: Linux® and Solaris®.

Note

Microsoft® Windows® does not restrict which processes can listen on TCP/IP sockets below 1024, so no special configuration is needed for DS on Microsoft Windows servers.

Linux

There are two ways to solve this problem on Linux:

  • Using capabilities(7)
  • Using port forwarding

Using capabilities(7)

This technique lets you grant a given executable program additional privileges. In the case of DS, the executable program is Java®.

Caution

Often Linux systems have multiple JVMs installed. Make sure you are configuring the JVM that DS is actually using.

In the following steps, a 64-bit version of Java 8u172 is being used; update the paths as appropriate if you are using a different version:

  1. Add the net_bind_service capability to the Java executable: # setcap cap_net_bind_service+epi /usr/java/jdk1.8.0_172/jre/bin/java This change causes the operating system to treat the Java executable as "trusted". The runtime linker on Linux will prevent trusted executables from dynamically loading libraries from unknown locations, which will cause Java to fail to start.
  2. Configure the runtime linker to allow dynamic libraries to be loaded from a particular JVM directory and then to update its cache: # echo /usr/java/jdk1.8.0_172/jre/lib/amd64/jli > /etc/ld.so.conf.d/java.conf # ldconfig
  3. Reboot to force the runtime linker to reload its configuration.
  4. Verify that the runtime linker settings have been updated by running ldconfig again: # ldconfig -p | grep jli libjli.so (libc6,x86-64) => /usr/java/jdk1.8.0_172/jre/lib/amd64/jli/libjli.so
  5. Configure DS to listen on a privileged port using the dsconfig command applicable to your version:
    • DS 7.1 and later: $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set listen-port:389 --hostname ds1.example.com --port 4444 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --no-prompt
    • DS 7: $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set listen-port:389 --hostname ds1.example.com --port 4444 --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --no-prompt
    • DS 6.x: $ ./dsconfig set-connection-handler-prop --handler-name LDAP --set listen-port:389 --hostname ds1.example.com --port 4444 --trustAll --bindDN "cn=Directory Manager" --bindPassword password --no-prompt
    • DS 5.x: $ ./dsconfig set-connection-handler-prop --handler-name "LDAP Connection Handler" --set listen-port:389 --hostname ds1.example.com --port 4444 --trustAll --bindDN "cn=Directory Manager" --bindPassword password --no-prompt
Warning

Any Java program will now be able to listen on a privileged port. Consider using port forwarding instead if this is a concern.

Using Port Forwarding

With this configuration, you redirect the standard port (for example, 389) to the non-privileged port that DS is actually listening on (for example, 1389). The details for achieving this will depend on the Linux distribution; the examples below are from Red Hat® Enterprise Linux 6:

  1. Enable IP forwarding by editing /etc/sysctl.conf and setting the net.ipv4.ip_forward variable to 1: net.ipv4.ip_forward = 1
  2. Reload the changed file: # sysctl -p /etc/sysctl.conf
  3. Update the iptables configuration to allow connections to both ports (389 and 1389), and lastly to add REDIRECT rules to the "nat" table. The rules to allow the connections are: -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 1389 -j ACCEPTThe rules to redirect the port are: -A PREROUTING -t nat -p tcp --dport 389 -j REDIRECT --to-ports 1389 -A OUTPUT -t nat -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT --to-ports 1389The resulting /etc/sysconfig/iptables file might look like this: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 1389 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT *nat -A PREROUTING -p tcp --dport 389 -j REDIRECT --to-ports 1389 -A OUTPUT -p tcp -d 127.0.0.1 --dport 389 -j REDIRECT --to-ports 1389 COMMIT
  4. Restart iptables using: # service iptables restart

DS should now be accessible on port 389, even though it is configured to listen on port 1389.

Solaris

On Solaris 10 and above, you can use the privileges(5) mechanism to change the privileges for a specific user.

To allow the "opendj" account to listen on privileged network ports, do this:

# usermod -K defaultpriv=basic,net_privaddr opendj

The "opendj" user will then be able to listen on privileged network ports.

See Also

How do I prevent the use of weak SSL cipher suites on the DS (All versions) administration port?

How do I prevent the use of weak SSL cipher suites on the DS (All versions) replication port?

Installing and Administering DS

Security Guide › Administrative Roles 

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.