Thanks John and everyone else. It's only performing binds for Apache, and
sssd, as I do not allow anon binds to the LDAP server. This particular
account does not perform any interactive logins on *Nix boxes.
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl(a)hyperbolicinnovation.com>
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
> Do I need uidNumber for Service Accounts used for application /
> server binding if this user won't actually be resolved by sssd or
> I set a very high uidNumber but eventually this will conflict with
> users as in my ignorance I didn't put this in a lower range.
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug(a)med.cornell.edu
> O: 212-746-6305
> F: 212-746-8690
It depends on weather your service account needs to login to a UNIX
compliant system or not. If the account doesn't have a uid, it will
most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS
authentication layer, for example a web user login, it probably doesn't
matter either way whether the account has a uidNumber set or not. If
you have an interaction with sssd or nslcd in the middle, you are going
to need the uidNumber attribute set.