pam.mapuser.username

This configuration parameter maps a local UNIX user account to an Active Directory account. Local user mapping allows you to set password policies in Active Directory even when a local UNIX account is used to log in. This parameter is most commonly used to map local system or application service accounts to an Active Directory account and password, but it can be used for any local user account. For more information about mapping local accounts to Active Directory users, see “Mapping local UNIX accounts to Active Directory in the Administrator’s Guide.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you are manually setting this parameter, you should note that the local account name you want to map to Active Directory is specified as the last portion of the configuration parameter name. The parameter value is the Active Directory account name for the specified local user. For example, the following parameter maps the local UNIX account oracle to the Active Directory account oracle_storm@acme.com if the host computer’s name is storm:

pam.mapuser.oracle: oracle_$HOSTNAME@acme.com

You can specify the user name in the configuration file with any of the following valid formats:

  • Standard Windows format: domain\user_name
  • Universal Principal Name (UPN): user_name@domain
  • Alternate UPN: alt_user_name@alt_domain
  • UNIX user name: user

You must include the domain name in the format if the user account is not in the local computer’s current Active Directory domain.

If this parameter is not defined in the configuration file, no local UNIX user accounts are mapped to Active Directory accounts.