Thanks everyone. I agree it would be ideal to differenaiate this account from others. So far it's in own OU while standard users are in People.
Seeing an error.
The ldif:
dn: uid=preset,ou=Service Accounts,dc=blah objectClass: top objectClass: account objectClass: applicationProcess
Enter LDAP Password: adding new entry "uid=preset,ou=Service Accounts,dc=blah ldap_add: Object class violation (65) additional info: invalid structural object class chain (account/applicationProcess)
Sorry, I am LDAP padawan.
Though this does work as it's now in the LDAP server:
dn: uid=preset,ou=Service Accounts,dc=blah objectClass: top objectClass: account objectClass: applicationProcess objectClass: simpleSecurityObject uid: preset cn: preset sn: preset givenName: preset title: Password Reset Account description: Service Account For Resetting Passwords
I will then great this account the ability to write to all users in People OU. Any security concerns?
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Wed, Dec 20, 2017 at 2:07 AM, Michael Ströder michael@stroeder.com wrote:
MJ J wrote:
Service accounts typically use the simpleSecurityObject object class.
But one needs an appropriate structural object class to add the entry. 'simpleSecurityObject' is an auxiliary object class without any naming attribute.
Ciao, Michael.
On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth dod2014@med.cornell.edu wrote:
It seems I created this service account with posixAccount objectClass.
That
requires uidNumber.
So I need to do some research on what's the appropriate objectClass for
this
service account. It's used by SSSD and Apache, for example, to perform binds with our LDAP cluster since we do not allow anon binds. In
addtion
ACLs only permit this account, and the Manager, access to read the
entire
directory.
From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I think I would only need objectClass: account which the service account already contains. So I could delete the posixAccount objectClass and
then
uidNumber, gidNumber, homeDirectory, and loginShell?
Thanks,
Douglas Duckworth, MSc, LFCS
Douglas Duckworth wrote:
adding new entry "uid=preset,ou=Service Accounts,dc=blah ldap_add: Object class violation (65) additional info: invalid structural object class chain (account/applicationProcess)
A directory entry must have a *single* structural object class. While there are usually multiple structural object classes listed only one of them is *the* structural object class. The others are parent object classes of the structural object class.
Since 'account' and 'applicationProcess' both directly SUP abstract object class 'top' they count as two distinct structural object classes.
Though this does work as it's now in the LDAP server:
dn: uid=preset,ou=Service Accounts,dc=blah objectClass: top objectClass: account objectClass: applicationProcess objectClass: simpleSecurityObject
It's invalid and you might run into issues modifying this entry later. You should choose either 'account' or 'applicationProcess'.
BTW: It should normally not be possible to add such entry. How did you add it? With slapadd or by using Relax Rules Control?
Ciao, Michael.
openldap-technical@openldap.org
-
Douglas Duckworth -
Michael Ströder