Hi Steve,
If I remember rightly, by default the server is started as root (to be able to open the listening ports) then switch to nsslapd-localuser (which is usually not privileged)
That said, I routinely run 389ds directly as a non-root user (mostly for development and debugging purposes) so it is possible to do it.
There is a bit more than what you listed but not much. (I do not change the instance configuration files but rather directly the template files ( defaults.inf for the user and paths and template-dse*.ldif to disable by default some plugins) then I create new instances with dscreate as usual:
- Make sure to use non privileged port when creating instance
- Modify the defaults.inf to change the paths towards writable (by the user) directories (beware of path loke /run or /var/run )
Most functionalities work fine but it may be possible that some plugins interacting with external components do not.
For my part I had to disable pwdchan-plugin from the template-dse*.ldif but that is more likely because I use a custom build without RUST rather than the fact I start the server while logged in with an unprivileged user.
Have fun !
Pierre