Specify user attributes mapping (AIX)

You can use this policy to map AIX user attributes to Active Directory user attributes. This mapping works on a per-system basis. With this policy in use, adclient returns the mapped Active Directory attributes values from a LAM (Loadable Authentication Module) query of the configured AIX user attributes.

This group policy modifies the lam.attributes.user.map setting in the agent configuration file.

The syntax for the mapping configuration file is:

AIX_ATTR AD_ATTR BYPASS_CACHE

AIX_ATTR indicates AIX attribute name AD_ATTR indicates Active Directory attribute name BYPASS_CACHE is optional, by default it's not specified. If it is specified, then adclient always tries to directly get the mapped attribute from Active Directory first, instead of trying to read from the cache first.

The following AIX attributes below are not supported for user mapping: id, password, shell, gecos, pgrp, pgid, home, expires, login, registry, auth1, auth2, system, account_locked, groups, groupsids, usrenv, maxage.

for example: unsuccessful_login_count badPwdCount bypass_cache

The example above maps the AIX user attribute unsuccessful_login_count to the Active Directory user attribute badPwdCount. The Delinea LAM module would return the badPwdCount value for any queries that include the unsuccessful_login_count AIX user attribute. By setting the bypass_cache option you can also make sure that the system always does a query to get the attributes instead of relying on the cached values.

For more information about AIX attributes mapping syntax, see the sample file /etc/centrifydc/attributes.user.map.sample.