It seems I created this service account with posixAccount objectClass.  That requires uidNumber.   

So I need to do some research on what's the appropriate objectClass for this service account.  It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds.  In addtion ACLs only permit this account, and the Manager, access to read the entire directory.  

From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains.  So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690

On Thu, Oct 26, 2017 at 9:24 AM, Douglas Duckworth <dod2014@med.cornell.edu> wrote:
Thanks John and everyone else.  It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server.  This particular account does not perform any interactive logins on *Nix boxes.

Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine

On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl@hyperbolicinnovation.com> wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
> Hi
>
> Do I need uidNumber for Service Accounts used for application /
> server binding if this user won't actually be resolved by sssd or
> nslcd?  
>
> I set a very high uidNumber but eventually this will conflict with
> users as in my ignorance I didn't put this in a lower range. 
>
> Thanks,
>
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug@med.cornell.edu
> O: 212-746-6305
> F: 212-746-8690

It depends on weather your service account needs to login to a UNIX
compliant system or not. If the account doesn't have a uid, it will
most likely not be able to login as a standard UNIX account via LDAP.

If the binds go directly to an application without going through an OS
authentication layer, for example a web user login, it probably doesn't
matter either way whether the account has a uidNumber set or not. If
you have an interaction with sssd or nslcd in the middle, you are going
to need the uidNumber attribute set.