# cat /etc/security/ldap sfur2user.map

LDAPA will only use the user map file, but the group map file also needs to be specified in ldap.cfg otherwise secldapclntd won’t start.

Look at the user map file and note the “username” entry. For the sfur2user.map file, the username entry may look like this:

username        SEC_CHAR        uid                     s       na      yes

This specifies that AIX will look for a “uid” attribute on LDAP server to map to the AIX username. From Step 3 and 4 above, this will need to change from “uid” to “sAMAccountName”.

Edit the custom user map file – which is myuser.map in this example – and change the username entry to this:

username        SEC_CHAR        sAMAccountName                     s       na      yes

One thing to note is that while shadowLastChange stores its value in 'days since epoch' -

shadowlastchange: 17971

pwdLastSet stores its values as 100-nanosecond intervals since Jan 1, 1601 (UTC) -

pwdLastSet: 132076930680413464

Because of that difference, when setting a mapping for lastupdate → pwdLastSet, the unit used will need to be 'UTC':

lastupdate        SEC_INT pwdLastSet      s       UTC     yes

In some cases, your user’s AIX user name (AD UID) might not match their sAMAccountName in AD. If this is the case, add the following line to /etc/security/ldap/sfur2user.map to support users changing their password uring Kerberos.

auth_name  SEC_CHAR  sAMAccountName  s  na  yes