Thanks John and everyone else. It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server. This particular account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis jl@hyperbolicinnovation.com wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
It depends on weather your service account needs to login to a UNIX compliant system or not. If the account doesn't have a uid, it will most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS authentication layer, for example a web user login, it probably doesn't matter either way whether the account has a uidNumber set or not. If you have an interaction with sssd or nslcd in the middle, you are going to need the uidNumber attribute set.