9.1.9.8. Least Privilege

The OpenLDAP service runs under the ldap user and ldap group. This is allows directory permissions to limit the service’s access to files/directories not owned by the ldap user/group. The ldap user does not have a valid login shell.

The default LDAP server policy denies all users access to everything (default deny). Access to LDAP entries are explicitly added.

References: AC-6 : LEAST PRIVILEGE