Douglas Duckworth wrote: > It seems I created this service account with posixAccount objectClass. > That requires uidNumber. > > So I need to do some research on what's the appropriate objectClass for > this service account. It's used by SSSD and Apache, for example, to > perform binds with our LDAP cluster since we do not allow anon binds. > In addtion ACLs only permit this account, and the Manager, access to > read the entire directory. > > From reading here http://www.zytrax.com/books/ldap/ape/#objectclasses I > think I would only need objectClass: account which the service account > already contains. So I could delete the posixAccount objectClass and > then uidNumber, gidNumber, homeDirectory, and loginShell? Yes. But you have to add auxiliary object class 'simpleSecurityObject' to add 'userPassword' to this entry. 'applicationProcess' is a similar object class often used for this kind of service/tool entry. You should define a naming convention to make such entries easily distinguishable from all other account entries. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature