Thanks everyone.  I agree it would be ideal to differenaiate this account from others.  So far it's in own OU while standard users are in People.

Seeing an error.

The ldif:

dn: uid=preset,ou=Service Accounts,dc=blah
objectClass: top
objectClass: account
objectClass: applicationProcess


Enter LDAP Password: 
adding new entry "uid=preset,ou=Service Accounts,dc=blah
ldap_add: Object class violation (65)
        additional info: invalid structural object class chain (account/applicationProcess)

Sorry, I am LDAP padawan.  

Though this does work as it's now in the LDAP server:

dn: uid=preset,ou=Service Accounts,dc=blah
objectClass: top
objectClass: account
objectClass: applicationProcess
objectClass: simpleSecurityObject
uid: preset
cn: preset
sn: preset
givenName: preset
title: Password Reset Account
description: Service Account For Resetting Passwords

 I will then great this account the ability to write to all users in People OU.  Any security concerns?



Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690

On Wed, Dec 20, 2017 at 2:07 AM, Michael Ströder <michael@stroeder.com> wrote:
MJ J wrote:
> Service accounts typically use the simpleSecurityObject object class.

But one needs an appropriate structural object class to add the entry.
'simpleSecurityObject' is an auxiliary object class without any naming
attribute.

Ciao, Michael.

> On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth
> <dod2014@med.cornell.edu> wrote:
>> It seems I created this service account with posixAccount objectClass.  That
>> requires uidNumber.
>>
>> So I need to do some research on what's the appropriate objectClass for this
>> service account.  It's used by SSSD and Apache, for example, to perform
>> binds with our LDAP cluster since we do not allow anon binds.  In addtion
>> ACLs only permit this account, and the Manager, access to read the entire
>> directory.
>>
>> From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I
>> think I would only need objectClass: account which the service account
>> already contains.  So I could delete the posixAccount objectClass and then
>> uidNumber, gidNumber, homeDirectory, and loginShell?
>>
>> Thanks,
>>
>> Douglas Duckworth, MSc, LFCS