LDAP Attribute Mapping File Format

Purpose

Defines AIX® to LDAP attribute name mapping to support configurable LDAP server schema.

Description

These map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon for translation between AIX attribute names to LDAP attribute names. Each entry in a mapping file represents a translation for an attribute. A entry has five space separated fields:
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type LDAP_Value_Unit
Item Description
AIX_Attribute_Name Specifies the AIX attribute name.
AIX_Attribute_Type Specifies the AIX attribute type. Values are SEC_CHAR, SEC_INT, SEC_LIST, and SEC_BOOL.
LDAP_Attribute_Name Specifies the LDAP attribute name.
LDAP_Value_Type Specifies the LDAP value type. Values are s for single value and m for multi-value.
LDAP_Value_Unit Specifies the LDAP value unit for some attributes. The following values are available for the maxage, minage, maxexpires, and the pwdwarntime attributes:
  • seconds
  • minutes
  • hours
  • days
  • weeks
  • months
  • years
The following values are available for the cpu, cpu_hard, fsize, fsize_hard, rss, rss_hard, stack, and the stack_hard attributes:
  • bytes
  • 512-byte blocks
  • kilobytes
  • megabytes
  • gigabytes
The following values are available for the lastupdate attribute:
  • Coordinated Universal Time (UTC) recorded in 100 nanoseconds, since January 1, 1601.
Note: The attributes of Microsoft Active Directory Server, such as pwdLastSet, store values only in the UTC unit, that is,these attribute values of the Microsoft Active Directory Server do not support any other units.

For all of the other attributes, the value is N/A. If no unit mapping is required, the values are also N/A.

TO_BE_CACHED Specifies whether this attribute is to be cached. Valid values are yes and no. Default is yes.

Files

AIX includes the following sets of attribute mapping files in the /etc/security/ldap directory:

The following attribute mappings are defined for AIX specific schema:
Item Description
aixuser.map Specifies the mapping for the aixAccount object class.
aixgroup.map Specifies the mapping for the aixAccessGroup object class.
aixid.map Specifies the mapping for the aixAdmin object class.
The following attribute mappings are defined for nisSchema (RFC 2307):
Item Description
2307user.map Specifies the mapping for the posixAccount object class.
2307group.map Specifies the mapping for the posixGroup object class.
The following attribute mappings are defined for nisSchema with AIX extensions:
Item Description
2307aixuser.map Specifies the mapping for the posixAccount object class and the aixAuxAccount object class.
2307aixgroup.map Specifies the mapping for the posixGroup object class and the aixAuxGroup object class.
The following attribute mappings are defined for Active Directory with service for UNIX:
Item Description
sfu30user.map Specifies the mapping for the user object class.
sfu30group.map Specifies the mapping for the group object class.
The following attribute mappings are defined for Active Directory with Windows 2003 R2 schema:
Item Description
sfur2user.map Specifies the mapping for the user object class.
sfur2group.map Specifies the mapping for the group object class.

The mksecldap command, at LDAP client configuration, will automatically figure out the server type and select the corresponding mapping files to use. If an LDAP server uses schema that is not included in these mapping files under the /etc/security/ldap directory, you must configure the LDAP client manually by creating your own mapping sets and edit the /etc/security/ldap.cfg file to use your mapping files.

The user and group maps might contain an entry that is used to designate the required object class that each user or group must have. This object class will be used in the filter for searches performed on user or group entries. As an example, listed below are the default entries for the keyobjectclass in the aix2307user.map and aix2307group.map files.

aix2307user.map:
        keyobjectclass  SEC_CHAR        posixgroup      s  na   yes
aix2307group.map:
        keyobjectclass  SEC_CHAR        posixaccount    s  na   yes

The aixid.map contains attribute mappings for user and group IDs. The IDs are used when one creates a new LDAP user/group with the mkuser or mkgroup command.