Douglas Duckworth wrote:
It seems I created this service account with posixAccount objectClass. That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for this service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In addtion ACLs only permit this account, and the Manager, access to read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?
Yes. But you have to add auxiliary object class 'simpleSecurityObject' to add 'userPassword' to this entry.
'applicationProcess' is a similar object class often used for this kind of service/tool entry.
You should define a naming convention to make such entries easily distinguishable from all other account entries.