Thanks John and everyone else.  It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server.  This particular account does not perform any interactive logins on *Nix boxes.

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690

On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl@hyperbolicinnovation.com> wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
> Hi
>
> Do I need uidNumber for Service Accounts used for application /
> server binding if this user won't actually be resolved by sssd or
> nslcd?  
>
> I set a very high uidNumber but eventually this will conflict with
> users as in my ignorance I didn't put this in a lower range. 
>
> Thanks,
>
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug@med.cornell.edu
> O: 212-746-6305
> F: 212-746-8690

It depends on weather your service account needs to login to a UNIX
compliant system or not. If the account doesn't have a uid, it will
most likely not be able to login as a standard UNIX account via LDAP.

If the binds go directly to an application without going through an OS
authentication layer, for example a web user login, it probably doesn't
matter either way whether the account has a uidNumber set or not. If
you have an interaction with sssd or nslcd in the middle, you are going
to need the uidNumber attribute set.