Specify user attributes mapping (AIX)
You can use this policy to map AIX user attributes to Active Directory
user attributes. This mapping works on a per-system basis. With this
policy in use, adclient
returns the mapped Active Directory attributes values
from a LAM (Loadable Authentication Module) query of the configured
AIX user attributes.
This group policy modifies the lam.attributes.user.map
setting in the
agent configuration file.
The syntax for the mapping configuration file is:
AIX_ATTR AD_ATTR BYPASS_CACHE
AIX_ATTR
indicates AIX attribute name
AD_ATTR
indicates Active Directory attribute name
BYPASS_CACHE
is optional, by default it's not specified. If it is specified, then adclient
always tries to directly get the mapped attribute from Active Directory first,
instead of trying to read from the cache first.
The following AIX attributes below are not supported for user mapping:
id
, password
, shell
, gecos
, pgrp
, pgid
, home
, expires
, login
,
registry
, auth1
, auth2
, system
, account_locked
, groups
,
groupsids
, usrenv
, maxage
.
for example:
unsuccessful_login_count badPwdCount bypass_cache
The example above maps the AIX user attribute unsuccessful_login_count
to the Active Directory user attribute badPwdCount
. The Delinea LAM module would return
the badPwdCount
value for any queries that include the unsuccessful_login_count
AIX user attribute. By setting the bypass_cache
option you can also make sure
that the system always does a query to get the attributes instead of relying
on the cached values.
For more information about AIX attributes mapping syntax, see the sample
file /etc/centrifydc/attributes.user.map.sample
.