Group Attributes in Classic RFC 2307 Zones
There are two object classes for the group extension object created in the
Groups sub-container of the zone: the serviceConnectionPoint object class and
the posixAccount object class.
| Group attribute | Stored in Active Directory attribute |
|---|---|
UnixName
|
cn:GroupName For example: cn:performx |
GroupVersion
|
displayName:GroupVersion This attribute determines compatibility between a group profile object and the Access manager console. The only valid value for this attribute is \$CimsGroupVersion3. For example: displayName:\$CimsGroupVersion3 |
Gid
|
gidNumber:value For example: gidNumber:458 |
ParentLink
|
managedBy:DN_ActiveDirectoryGroup If the zone is a 2.x and 3.x compatible zone, you should set this attribute to the DN of the parent Active Directory group object. For example: managedBy:cn=interns,cn=users,dc=ice,dc=net If the zone does not need to be compatible with older versions of Delinea software, you can use the keywords attribute and parentLink pseudo-attribute to specify the security identifier (SID) of the parent Active Directory group object. For example: keywords:parentLink:S-n-n-nn-nnn.. |
UnixEnabled
|
keywords:unix_enabled:value For example: keywords:unix_enabled:True |
ForeignForest
|
keywords:foreign:value This attribute indicates whether a group in a zone is from an external forest. For example: keywords:foreign:False |
The posixGroup group membership attributes are not set. Delinea uses the normal Active Directory mechanism for determining group membership.
