[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: uidNumber for Service Accounts?
- To: Douglas Duckworth <dod2014@med.cornell.edu>
- Subject: Re: uidNumber for Service Accounts?
- From: MJ J <mikedotjackson@gmail.com>
- Date: Tue, 19 Dec 2017 21:49:38 +0200
- Cc: John Lewis <jl@hyperbolicinnovation.com>, Openldap Technical <openldap-technical@openldap.org>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iYNS0KfkA/3epaL7olqd1pU6QGhLtnYUFYC4HNwNwMY=; b=EASdDKe1okt5Upq8cTcjq7JJ3d4ArbGWxSKwvSwBMAcsSBS4TgGVa9CC65MQ3JyeBZ yHnUSKgPkZ9cdDPePe3ruNzSroPtJVVVnGp3EXqYIFmmNV8qLr+Uj7RN7eDzsbWrH67z EM2vEKr/DrSkdhIKbqUKbQF+m+v7Go6lDGQzH9Np6z/pEU9sRQo9O+UCHZCG8eVCA8X9 QpO8RdztLkaPJUMNO7U77+HmkTmmuE8PhkqpJZV7+0zon9t+cLPab3h+MeysX5gjIlXm B3P95wTPKWDzXjOJCV9J/56OJFxF7ISpZiDuBhZZj2Pbfz8wF716ABacDJKNT9sYFTkW Ua3g==
- In-reply-to: <CAAKHBK==M1Wh9u9bZ8DiEUOcSy7qsCJ=MqK8sLnz99O7vM8dog@mail.gmail.com>
- References: <CAAKHBKkWCvdrOSA2EbBcwHAuWvWvkdknnoMOY9wT8sozJ+UADA@mail.gmail.com> <c97f6f73b27d46abae7a4cac5077fdd8@DM5PR06MB3097.namprd06.prod.outlook.com> <CAAKHBKnH30z2+Mhxf53d1FJsYvdMW4VtJgmmjzcsOa9SfO7w6Q@mail.gmail.com> <CAAKHBK==M1Wh9u9bZ8DiEUOcSy7qsCJ=MqK8sLnz99O7vM8dog@mail.gmail.com>
Service accounts typically use the simpleSecurityObject object class.
On Tue, Dec 19, 2017 at 9:15 PM, Douglas Duckworth
<dod2014@med.cornell.edu> wrote:
> It seems I created this service account with posixAccount objectClass. That
> requires uidNumber.
>
> So I need to do some research on what's the appropriate objectClass for this
> service account. It's used by SSSD and Apache, for example, to perform
> binds with our LDAP cluster since we do not allow anon binds. In addtion
> ACLs only permit this account, and the Manager, access to read the entire
> directory.
>
> From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I
> think I would only need objectClass: account which the service account
> already contains. So I could delete the posixAccount objectClass and then
> uidNumber, gidNumber, homeDirectory, and loginShell?
>
> Thanks,
>
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
> Physiology and Biophysics
> Weill Cornell Medicine
> E: doug@med.cornell.edu
> O: 212-746-6305
> F: 212-746-8690
>
> On Thu, Oct 26, 2017 at 9:24 AM, Douglas Duckworth <dod2014@med.cornell.edu>
> wrote:
>>
>> Thanks John and everyone else. It's only performing binds for Apache, and
>> sssd, as I do not allow anon binds to the LDAP server. This particular
>> account does not perform any interactive logins on *Nix boxes.
>>
>> Thanks,
>>
>> Douglas Duckworth, MSc, LFCS
>> HPC System Administrator
>> Scientific Computing Unit
>> Physiology and Biophysics
>> Weill Cornell Medicine
>> E: doug@med.cornell.edu
>> O: 212-746-6305
>> F: 212-746-8690
>>
>> On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl@hyperbolicinnovation.com>
>> wrote:
>>>
>>> On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
>>> > Hi
>>> >
>>> > Do I need uidNumber for Service Accounts used for application /
>>> > server binding if this user won't actually be resolved by sssd or
>>> > nslcd?
>>> >
>>> > I set a very high uidNumber but eventually this will conflict with
>>> > users as in my ignorance I didn't put this in a lower range.
>>> >
>>> > Thanks,
>>> >
>>> > Douglas Duckworth, MSc, LFCS
>>> > HPC System Administrator
>>> > Scientific Computing Unit
>>> > Physiology and Biophysics
>>> > Weill Cornell Medicine
>>> > E: doug@med.cornell.edu
>>> > O: 212-746-6305
>>> > F: 212-746-8690
>>>
>>> It depends on weather your service account needs to login to a UNIX
>>> compliant system or not. If the account doesn't have a uid, it will
>>> most likely not be able to login as a standard UNIX account via LDAP.
>>>
>>> If the binds go directly to an application without going through an OS
>>> authentication layer, for example a web user login, it probably doesn't
>>> matter either way whether the account has a uidNumber set or not. If
>>> you have an interaction with sssd or nslcd in the middle, you are going
>>> to need the uidNumber attribute set.
>>
>>
>