lam.attributes.group.map

You can use this parameter to map AIX group attributes to Active Directory group attributes. This mapping works on a per-system basis. With this parameter in use, adclient returns the mapped Active Directory attributes values from a LAM (Loadable Authentication Module) query of the configured AIX group attributes.

In most cases, you set this configuration parameter using group policy. The entries created by the group policy are then stored in the /etc/centrifydc/attributes.group.map file. You can, however, set this parameter manually in the configuration file if you are not using group policy or if you want to temporarily override the group policy.

In most cases, you use the lam.attributes.group.map parameter to specify the location of an mapping configuration file; this mapping file contains entries you want to use on the local computer. For example:

lam.attributes.group.map: file:/etc/centrifydc/attributes.group.map

Although the attributes.group.map file is generated from the list of mapping entries you specify using group policy, you can also manually create or update the mapping configuration file on any local computer, if needed. A sample illustrating the syntax is provided in the /etc/centrifydc/attributes.group.map.sample file.

The syntax for the mapping configuration file is:

AIX_ATTR AD_ATTR BYPASS_CACHE

AIX_ATTR indicates AIX attribute name AD_ATTR indicates Active Directory attribute name BYPASS_CACHE is optional, by default it's not specified. If it is specified, then adclient always tries to directly get the mapped attribute from Active Directory first, instead of trying to read from the cache first.

The following AIX attributes below are not supported for group mapping: id, registry, and users.

for example: adms memberUid

The example above maps the AIX group attribute adms to the Active Directory group attribute memberUid. The Delinea LAM module would return the memberUid value for any queries that include the adms AIX group attribute. And, adclient will try to read the memberUid value first from the cache.

For more information about AIX attributes mapping syntax, see the sample file /etc/centrifydc/attributes.group.map.sample.