Group attributes in classic Centrify zones

A group extension object is a serviceConnectionPoint object that is created in the Groups sub-container of the zone. The pseudo‑attributes for this object are stored in the keywords attribute.

Group attribute Stored in Active Directory attribute

UnixName

name:GroupName

For SCP objects, the Name attribute is the same as the CN attribute. Either attribute can be set, but attribute use should be consistent with other objects.

For example:

name:performx

GroupVersion

displayName:GroupVersion

This attribute determines compatibility between a group profile object and the Access manager console. The only valid value for this attribute is $CimsGroupVersion3.

For example:

displayName:$CimsGroupVersion3

ParentLink

managedBy:DN_ActiveDirectoryGroup

If the zone is a 2.x and 3.x compatible zone, you should set this attribute to the DN of the parent Active Directory group object.

For example:

managedBy: cn=interns,cn=users,dc=ice,dc=net

If the zone does not need to be compatible with older versions of Centrify software, you can use the keywords attribute and parentLink pseudo‑attribute to specify the security identifier (SID) of the parent Active Directory group object.

For example:

keywords:parentLink:S-n-n-nn-nnn..

Gid

gid:value

For example:

keywords:gid:458

UnixEnabled

This attribute is only applicable in classic 4.x zones.

ForeignForest

Not supported in 3.x or 4.x.