Thanks John and everyone else. It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server. This particular account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis jl@hyperbolicinnovation.com wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
It depends on weather your service account needs to login to a UNIX compliant system or not. If the account doesn't have a uid, it will most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS authentication layer, for example a web user login, it probably doesn't matter either way whether the account has a uidNumber set or not. If you have an interaction with sssd or nslcd in the middle, you are going to need the uidNumber attribute set.
It seems I created this service account with posixAccount objectClass. That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for this service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In addtion ACLs only permit this account, and the Manager, access to read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I
think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Thu, Oct 26, 2017 at 9:24 AM, Douglas Duckworth dod2014@med.cornell.edu wrote:
Thanks John and everyone else. It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server. This particular account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 <(212)%20746-6305> F: 212-746-8690 <(212)%20746-8690>
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis jl@hyperbolicinnovation.com wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
It depends on weather your service account needs to login to a UNIX compliant system or not. If the account doesn't have a uid, it will most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS authentication layer, for example a web user login, it probably doesn't matter either way whether the account has a uidNumber set or not. If you have an interaction with sssd or nslcd in the middle, you are going to need the uidNumber attribute set.
Service accounts typically use the simpleSecurityObject object class.
On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth dod2014@med.cornell.edu wrote:
It seems I created this service account with posixAccount objectClass. That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for this service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In addtion ACLs only permit this account, and the Manager, access to read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Thu, Oct 26, 2017 at 9:24 AM, Douglas Duckworth dod2014@med.cornell.edu wrote:
Thanks John and everyone else. It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server. This particular account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis jl@hyperbolicinnovation.com wrote:
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
It depends on weather your service account needs to login to a UNIX compliant system or not. If the account doesn't have a uid, it will most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS authentication layer, for example a web user login, it probably doesn't matter either way whether the account has a uidNumber set or not. If you have an interaction with sssd or nslcd in the middle, you are going to need the uidNumber attribute set.
MJ J wrote:
Service accounts typically use the simpleSecurityObject object class.
But one needs an appropriate structural object class to add the entry. 'simpleSecurityObject' is an auxiliary object class without any naming attribute.
Ciao, Michael.
On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth dod2014@med.cornell.edu wrote:
It seems I created this service account with posixAccount objectClass. That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for this service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In addtion ACLs only permit this account, and the Manager, access to read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?
Thanks,
Douglas Duckworth, MSc, LFCS
Douglas Duckworth wrote:
It seems I created this service account with posixAccount objectClass. That requires uidNumber.
So I need to do some research on what's the appropriate objectClass for this service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In addtion ACLs only permit this account, and the Manager, access to read the entire directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and then uidNumber, gidNumber, homeDirectory, and loginShell?
Yes. But you have to add auxiliary object class 'simpleSecurityObject' to add 'userPassword' to this entry.
'applicationProcess' is a similar object class often used for this kind of service/tool entry.
You should define a naming convention to make such entries easily distinguishable from all other account entries.
Ciao, Michael.
openldap-technical@openldap.org
-
Douglas Duckworth -
Michael Ströder -
MJ J