lam.attributes.user.map

You can use this parameter to map AIX user attributes to Active Directory user attributes. This mapping works on a per-system basis. With this parameter in use, adclient returns the mapped Active Directory attributes values from a LAM (Loadable Authentication Module) query of the configured AIX user attributes.

In most cases, you set this configuration parameter using group policy. The entries created by the group policy are then stored in the /etc/centrifydc/attributes.user.map file. You can, however, set this parameter manually in the configuration file if you are not using group policy or if you want to temporarily override the group policy.

In most cases, you use the lam.attributes.user.map parameter to specify the location of an mapping configuration file; this mapping file contains entries you want to use on the local computer. For example:

lam.attributes.user.map: file:/etc/centrifydc/attributes.user.map

Although the attributes.user.map file is generated from the list of mapping entries you specify using group policy, you can also manually create or update the mapping configuration file on any local computer, if needed. A sample illustrating the syntax is provided in the /etc/centrifydc/attributes.user.map.sample file.

The syntax for the mapping configuration file is:

AIX_ATTR AD_ATTR BYPASS_CACHE

AIX_ATTR indicates AIX attribute name AD_ATTR indicates Active Directory attribute name BYPASS_CACHE is optional, by default it's not specified. If it is specified, then adclient always tries to directly get the mapped attribute from Active Directory first, instead of trying to read from the cache first.

The following AIX attributes below are not supported for user mapping: id, password, shell, gecos, pgrp, pgid, home, expires, login, registry, auth1, auth2, system, account_locked, groups, groupsids, usrenv, maxage.

for example: unsuccessful_login_count badPwdCount bypass_cache

The example above maps the AIX user attribute unsuccessful_login_count to the Active Directory user attribute badPwdCount. The Delinea LAM module would return the badPwdCount value for any queries that include the unsuccessful_login_count AIX user attribute. By setting the bypass_cache option you can also make sure that the system always does a query to get the attributes instead of relying on the cached values.

For more information about AIX attributes mapping syntax, see the sample file /etc/centrifydc/attributes.user.map.sample.