It is highly recommended not to run internet-facing services as root. For this reason, oidentd attempts to switch to an unprivileged user automatically after starting up.
Please note that oidentd is required to run as root on a small number of systems. On these systems, a warning is printed at startup, and privileges are not dropped automatically. In this case, it is recommended to confine the oidentd process in some other way. Your system is affected by this limitation if
oidentd --version prints “Needs root access: Yes”.
By default, oidentd attempts to run as one of the following users, in order of preference. If a user does not exist, oidentd tries to use the next one.
As a last resort, oidentd switches to user ID 65534 if neither of the above users exists.
By default, oidentd attempts to run as one of the following groups, in order of preference. If a group does not exist, oidentd tries to use the next one.
As a last resort, oidentd switches to group ID 65534 if none of the above groups exist.
--group options can be used to run oidentd as another user or group, respectively. oidentd will refuse to start up if the user or group specified by either of these options does not exist, or if privileges cannot be dropped for some other reason.