Service accounts typically use the simpleSecurityObject object class.
On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth
It seems I created this service account with posixAccount
So I need to do some research on what's the appropriate objectClass for this
service account. It's used by SSSD and Apache, for example, to perform
binds with our LDAP cluster since we do not allow anon binds. In addtion
ACLs only permit this account, and the Manager, access to read the entire
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses
think I would only need objectClass: account which the service account
already contains. So I could delete the posixAccount objectClass and then
uidNumber, gidNumber, homeDirectory, and loginShell?
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
On Thu, Oct 26, 2017 at 9:24 AM, Douglas Duckworth <dod2014(a)med.cornell.edu>
> Thanks John and everyone else. It's only performing binds for Apache, and
> sssd, as I do not allow anon binds to the LDAP server. This particular
> account does not perform any interactive logins on *Nix boxes.
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug(a)med.cornell.edu
> O: 212-746-6305
> F: 212-746-8690
> On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl(a)hyperbolicinnovation.com>
>> On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
>> > Hi
>> > Do I need uidNumber for Service Accounts used for application /
>> > server binding if this user won't actually be resolved by sssd or
>> > nslcd?
>> > I set a very high uidNumber but eventually this will conflict with
>> > users as in my ignorance I didn't put this in a lower range.
>> > Thanks,
>> > Douglas Duckworth, MSc, LFCS
>> > HPC System Administrator
>> > Scientific Computing Unit
>> > Physiology and Biophysics
>> > Weill Cornell Medicine
>> > E: doug(a)med.cornell.edu
>> > O: 212-746-6305
>> > F: 212-746-8690
>> It depends on weather your service account needs to login to a UNIX
>> compliant system or not. If the account doesn't have a uid, it will
>> most likely not be able to login as a standard UNIX account via LDAP.
>> If the binds go directly to an application without going through an OS
>> authentication layer, for example a web user login, it probably doesn't
>> matter either way whether the account has a uidNumber set or not. If
>> you have an interaction with sssd or nslcd in the middle, you are going
>> to need the uidNumber attribute set.