Active Directory group member attribute selection

Edit online

Microsoft's Service for UNIX defines the memberUid, msSFU30MemberUid, and msSFU30PosixMember group member attributes.

The memberUid and msSFU30MemeberUid attributes accept user account names, while the msSFU30PosixMember accepts only full DN. For example, for a user account foo (with last name bar) defined in AD:

memberUid: foo
msSFU30MemberUid: foo
msSFU30PosixMember: CN=foo bar,CN=Users,DC=austin,DC=ibm,DC=com

The AIX operating system supports all of these attributes. Consult with your AD administrator to determine which attribute to use. By default, the mksecldap command configures the AIX operating system to use the msSFU30PosixMember attribute against AD running on Windows 2000 and 2003, and the uidMember attribute against AD running on Windows 2003 R2. Such selection is due to the AD behavior as AD selects that attribute when adding a user to a group from Windows. Your business strategy might require the use of a non-default group member attribute for supporting multiple platforms.

If a different group member attribute is needed, you can change the mapping by editing the group mapping file. The group mapping file for AD is /etc/security/ldap/sfu30group.map running on Windows 2000 and 2003, and /etc/security/ldap/sfur2group.map for Windows 2003 R2. Find the line that starts with the word users, and replace the third field with the desired attribute name for group members. For more information, see LDAP Attribute Mapping File Format. Run the mksecldap command to configure the AIX LDAP client after the change, or if the AIX client is already configured, run the restart-secldapclntd command to restart the secldapclntd daemon to absorb the change.