LDAP Attribute-Mapping File Format

Edit online

Purpose

An LDAP attribute-mapping file defines how AIX map to LDAP directory attributes. This allows the system to translate between local naming conventions and LDAP schema attributes.

Description

The map files are used by the /usr/lib/security/LDAP module and the secldapclntd daemon. The map files convert AIX attribute names to LDAP attribute names. Each entry in a mapping file represents a conversion for an attribute. An entry has five space-separated fields.
AIX_Attribute_Name AIX_Attribute_Type LDAP_Attribute_Name LDAP_Value_Type LDAP_Value_Unit
Table 1. Attributes
Item Description
AIX_Attribute_Name Specifies the attribute name of the AIX.
AIX_Attribute_Type Specifies the attribute type of the AIX. The attribute values are SEC_CHAR, SEC_INT, SEC_LIST, and SEC_BOOL.
LDAP_Attribute_Name Specifies the attribute name of the LDAP.
LDAP_Value_Type Specifies the value type of the LDAP. The attribute values are s for single value and m for multi-value.
LDAP_Value_Unit Specifies the unit of the LDAP value for some attributes.
  • The following values are available for the maxage, minage, maxexpires, and pwdwarntime attributes:
    • Seconds
    • Minutes
    • Hours
    • Days
    • Weeks
    • Months
    • Years
  • The following values are available for the cpu, cpu_hard, fsize, fsize_hard, rss, rss_hard, stack, and stack_hard attributes:
    • bytes
    • 512-byte blocks
    • Kb
    • megabytes
    • gigabytes
  • The following values are available for the lastupdate attribute:
    • Coordinated Universal Time (UTC) recorded in 100 nanoseconds, since 1 January 1601.
      Note: The attributes of Microsoft Active Directory Server such as pwdLastSet, store values only in the Coordinated Universal Time unit. These attribute values of the Microsoft Active Directory Server do not support other units.
    • start of change
      Generalized Time syntax (GTS) recorded in YYYYMMDDHHMMSSZ format, which ends with Zulu format (Z).
      Note: The krbLastPwdChange attribute in FreeIPA server uses GTS YYYYMMDDHHMMSSZ.

      For other attributes, the value is N/A. If unit mapping is not required, the values are N/A.

      end of change
TO_BE_CACHED Specifies whether this attribute is to be cached. The valid values are yes and no. The default value is yes.

Files

AIX includes the following sets of attribute-mapping files in the /etc/security/ldap directory:

The following attribute mappings are defined for AIX specific schema:
Table 2. Attribute mapping
Item Description
aixuser.map Specifies the mapping for the aixAccount object class.
aixgroup.map Specifies the mapping for the aixAccessGroup object class.
aixid.map Specifies the mapping for the aixAdmin object class.
The following attribute mappings are defined for nisSchema (RFC 2307):
Table 3. Attribute mapping - nisSchema
Item Description
2307user.map Specifies the mapping for the posixAccount object class.
2307group.map Specifies the mapping for the posixGroup object class.
The following attribute mappings are defined for nisSchema with AIX extensions:
Table 4. Attribute mapping
Item Description
2307aixuser.map Specifies the mapping for the posixAccount object class and the aixAuxAccount object class.
2307aixgroup.map Specifies the mapping for the posixGroup object class and the aixAuxGroup object class.
The following attribute mappings are defined for Active Directory with service for UNIX:
Table 5. Attribute mapping
Item Description
sfu30user.map Specifies the mapping for the user object class.
sfu30group.map Specifies the mapping for the group object class.
The following attribute mappings are defined for Active Directory with Windows 2003 R2 schema:
Table 6. Attribute mapping
Item Description
sfur2user.map Specifies the mapping for the user object class.
sfur2group.map Specifies the mapping for the group object class.
start of changeThe following attribute mappings are defined for Active Directory without SFU plug-in:
Table 7. Attribute mapping
Item Description
msadnosfuuser.map Specifies the mapping for the user object class.
msadnosfugroup.map Specifies the mapping for the group object class.
end of change

The mksecldap command at LDAP client configuration automatically finds the server type and selects the corresponding mapping files that must be used. If a schema that the LDAP server uses is not in the mapping files in the /etc/security/ldap directory, configure the LDAP client manually by creating your own mapping sets. Edit the /etc/security/ldap.cfg file to use your mapping files.

The user and group maps might contain an entry that is used to designate the required object class that each user or group must have. This object class is used in the filter for searches that is done on user or group entries. For example, the following are the default entries of the keyobjectclass in the aix2307user.map and aix2307group.map files. 

aix2307user.map:
        keyobjectclass  SEC_CHAR        posixgroup      s  na   yes
aix2307group.map:
        keyobjectclass  SEC_CHAR        posixaccount    s  na   yes

The aixid.map contains the attribute mappings for user and group IDs. The IDs are used when you create a new LDAP user or group by using the mkuser or mkgroup command.