matt4 Contributor.
Contributor.
599 views

SystemD script for starting non-root eDir

Has anyone created a SystemD based start/stop script for a non-root INSTANCE of eDir?

I'm running a non-root instance of eDir (root install) on RHEL 7.5 and I want it to auto start on boot. I was just going to do an old-school init.d script, but thought maybe someone has a solution for SystemD? I haven't really gotten fully up to speed on SystemD yet. Thanks!

Matt
Labels (1)
0 Likes
7 Replies
matt4 Contributor.
Contributor.

Re: SystemD script for starting non-root eDir

Side note on this..
I opened an SR with support asking about this, and I'm being told this is NOT supported. That was a complete shock to me.

Was anyone else aware that running eDir as non-root using a root-based install (RPM) of eDir is not supported?

Matt
0 Likes
Knowledge Partner
Knowledge Partner

Re: SystemD script for starting non-root eDir

matt wrote:

> I opened an SR with support asking about this, and I'm being told this
> is NOT supported. That was a complete shock to me.
>
> Was anyone else aware that running eDir as non-root using a root-based
> install (RPM) of eDir is not supported?


Did they say, running Edir that way is not supported or that they do not
support (and not provide) any systemd service unit to start Edir as non-root?

(they do provide and support a root-run, root-installed service unit)

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SystemD script for starting non-root eDir

On 2018-07-19 12:00, Lothar Haeger wrote:
> matt wrote:
>
>> I opened an SR with support asking about this, and I'm being told this
>> is NOT supported. That was a complete shock to me.
>>
>> Was anyone else aware that running eDir as non-root using a root-based
>> install (RPM) of eDir is not supported?

>
> Did they say, running Edir that way is not supported or that they do not
> support (and not provide) any systemd service unit to start Edir as non-root?
>
> (they do provide and support a root-run, root-installed service unit)


On SLES systemd user units are used for non-root installs. But that
feature was removed from systemd in RHEL 7. That's why non-root installs
were not supported in < 9.0.4

I agree that we need support for systemd unit files for non-root
instances of root installs. I shouldn't be to hard to write a unit file
with appropriate credentials parameters:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User=
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=

And a /etc/sudoers.d/ndsd example with

%idmadmin ALL = /usr/bin/systemctl restart ndsd.service
%idmadmin ALL = /usr/bin/systemctl stop ndsd.service
%idmadmin ALL = /usr/bin/systemctl start ndsd.service
%idmadmin ALL = /usr/bin/systemctl status ndsd.service

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: SystemD script for starting non-root eDir

On 18/07/18 21:16, matt wrote:

> Side note on this..
> I opened an SR with support asking about this, and I'm being told this
> is NOT supported. That was a complete shock to me.


What is not supported, SystemD?

> Was anyone else aware that running eDir as non-root using a root-based
> install (RPM) of eDir is not supported?


.... or were you referring to the above as not being supported?

Whilst Micro Focus offer a download of eDirectory for a non-root install
it's certainly not clear from the download page or documentation that
using the root-install to configure a non-root instance is not supported
(but then it's not even clear it's even possible). I'll flag this to my
Micro Focus contacts asking for clarification.

HTH.
--
Simon
Micro Focus Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------
0 Likes
Knowledge Partner
Knowledge Partner

Re: SystemD script for starting non-root eDir

matt wrote:

> Was anyone else aware that running eDir as non-root using a root-based
> install (RPM) of eDir is not supported?


Have a look at
https://www.netiq.com/documentation/edirectory-91/edir_install/data/a79kg0w.html
#bqs8mmt , someone might have had this in mind:


You can configure multiple instances of eDirectory 9.1 on a single host. With
the multiple instances feature support in eDirectory 9.1, you can configure the
following:

Multiple instances of eDirectory on a single host
Multiple trees for different users on a single host
Multiple replicas of the same tree or partition on a single host

WARNING: Configuring multiple trees for the same user is not supported. NetIQ
does not support instances of servers in different trees for a user. If you
want to configure servers in multiple trees, use different user accounts.



--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
0 Likes
Knowledge Partner
Knowledge Partner

Re: SystemD script for starting non-root eDir

Matt was told, as I understand it, that running a non-root instance in a
root-based install was not supported (systemd or otherwise).

While nothing in the documentation explicitly states you cannot do that,
and there is nothing explicitly telling a user to do it, there are
documentation references that refer to this being something that is done,
so it's a gray area.

With that written, I think it is the best way to run eDirectory, or
anything else, for security reasons. With a root install the files are
owned by root, meaning a non-root user cannot mess them up normally, and
also other software works best with the root install (IDM, auditing, NAM,
OES, etc.), not to mention eDirectory itself (there is no "upgrade" for
the non-root install other than a CoolSolution because you basically
remove the old stuff with 'rm' and then extract the new stuff).

All of this said, non-root instances in root installs work great and I
would recommend doing it anytime. The only drawback is how to run them,
and possibly how to get the lower (less than 1024) ports that you may
want, but you can get those mapped with iptables/SuSEfirewall2/etc. easily
enough so it is seamless to clients.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
matt4 Contributor.
Contributor.

Re: SystemD script for starting non-root eDir

ab;2484358 wrote:
Matt was told, as I understand it, that running a non-root instance in a
root-based install was not supported (systemd or otherwise).

While nothing in the documentation explicitly states you cannot do that,
and there is nothing explicitly telling a user to do it, there are
documentation references that refer to this being something that is done,
so it's a gray area.

With that written, I think it is the best way to run eDirectory, or
anything else, for security reasons. With a root install the files are
owned by root, meaning a non-root user cannot mess them up normally, and
also other software works best with the root install (IDM, auditing, NAM,
OES, etc.), not to mention eDirectory itself (there is no "upgrade" for
the non-root install other than a CoolSolution because you basically
remove the old stuff with 'rm' and then extract the new stuff).

All of this said, non-root instances in root installs work great and I
would recommend doing it anytime. The only drawback is how to run them,
and possibly how to get the lower (less than 1024) ports that you may
want, but you can get those mapped with iptables/SuSEfirewall2/etc. easily
enough so it is seamless to clients.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.



Aaron is correct, this is NOT a supported configuration currently. The only way to run eDir as non-root and be fully supported is to the use the tarball based install. Otherwise, it is best-effort support.

However, it appears I am making some headway on getting this setup (root install/non-root instance) as an officially supported configuration, so stay tuned.

Matt
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.