Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
Douglas Duckworth wrote:
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
In general if your client only binds to the LDAP server it doesn't need 'uidNumber' attribute. It just needs a bind-DN and a password in its config. I assume though that your LDAP server does not have ACLs based uidNumber-based filter affecting your client.
And I don't know whether something else in your deployment needs it. This only you can find out.
Ciao, Michael.
On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
Hi
Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
It depends on weather your service account needs to login to a UNIX compliant system or not. If the account doesn't have a uid, it will most likely not be able to login as a standard UNIX account via LDAP.
If the binds go directly to an application without going through an OS authentication layer, for example a web user login, it probably doesn't matter either way whether the account has a uidNumber set or not. If you have an interaction with sssd or nslcd in the middle, you are going to need the uidNumber attribute set.
openldap-technical@openldap.org
-
Douglas Duckworth -
John Lewis -
Michael Ströder