It seems I created this service account with posixAccount
That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for
this service account. It's used by SSSD and Apache, for example, to
perform binds with our LDAP cluster since we do not allow anon binds.
In addtion ACLs only permit this account, and the Manager, access to
read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses
think I would only need objectClass: account which the service account
already contains. So I could delete the posixAccount objectClass and
then uidNumber, gidNumber, homeDirectory, and loginShell?
Yes. But you have to add auxiliary object class 'simpleSecurityObject'
to add 'userPassword' to this entry.
'applicationProcess' is a similar object class often used for this kind
of service/tool entry.
You should define a naming convention to make such entries easily
distinguishable from all other account entries.