In this context, a service account is an account that represents an application or a device, not a human being. The application or devices uses the service account to authenticate, so that it can be authorized to perform some operation including accessing data in the directory service. Examples include AM, IDM, other DS servers, and other client applications.
DS supports multiple alternative credential schemes. Account credentials can be a username-password combination, a certificate, an OAuth 2.0 access token, or a Kerberos ticket, for example.
For LDAP service accounts, the documentation should discuss the trade offs of using service account credentials that are:
- User name and strong password combinations
- Self-signed certificates
- CA-signed certificates (with PKI for trust)
It would be helpful to show how alternative mechanisms facilitate administration of secrets:
- Need to disclose (sending passwords over the network)
- Rotation (e.g. support for multiple secrets at once)
In addition, it would be helpful to explain how public CAs should be used for public-facing server certificates, but not for client certificates.