User attributes in hierarchical zones

A user extension object is a serviceConnectionPoint object that is created in the Users sub-container of the zone. The pseudo‑attributes for this object are stored in the keywords attribute.

User attribute Stored in Active Directory attribute Inherited

cn

sAMAccountName@domain.name[:N]

No

objectType

displayName=$CimsUserVersion4

No

Name

keywords:login:name

For example:

keywords:login:cain

Yes

Uid

keywords:uid:value

For example:

keywords:uid:458

Yes

Gid

keywords:gid:value

For example:

keywords:gid:458

Yes

Home

keywords:home:value

For example:

keywords:home:/home/shea

Yes

Shell

keywords:shell:value

For example:

keywords:shell:/bin/bash

Yes

Gecos

gecos:value

For example:

gecos:%{u:displayName}

Yes

User and group extended attributes are specific to a particular computer and can be set on a per-user or per-group basis. The format for extended attributes depend on the format required for a particular operating system. Currently, only AIX extended attributes are supported.

Each attribute name starts with a prefix that indicates the operating system to which it applies (for example, aix.) and is followed by the attribute name. The valid values for each attribute depend on the attribute type, and can be a string, number or Boolean value. Attributes that support multiple values are specified with separate name‑value pairs.

The specific user and group extended attributes that are available for you to set depend on the version of the operating system running on the computer where the attributes are used. For detailed information about the extended attributes available and valid values on a specific version of the AIX operating system, see your AIX documentation.

The following table lists some of the most commonly-used user extended attributes for illustration purposes. It does not represent the complete list of user and group extended attributes that might be available on any given version of the operating system.

Extended attribute Description

aix.admin

Specifies the administrative status of the user as true or false.

aix.admgroups

Lists the groups that the user administrates as a comma-separated list of group names.

aix.daemon

Specifies whether the user can execute programs using the the cron daemon or the system resource controller (src).

aix.rlogin

Specifies whether the user account can be logged into remotely using telnet or rlogin.

aix.su

Indicates whether other users can switch to the user account with the su command.

aix.sugroups

Lists the groups can switch to the user account as a comma-separated list of group names.

aix.tpath

Indicates the user's trusted path status.

aix.ttys

Lists the terminals that can access the account as a comma-separated list of full path names, or using ALL to indicate all terminals.

aix.fsize

Sets the soft limit for the largest file a user's process can create or extend or a value of -1 to specify unlimited for this attribute.

aix.core

Sets the soft limit for the largest core file a user's process can create or a value of -1 to specify unlimited for this attribute.

aix.cpu

Sets the soft limit for the maximum number of seconds of system time that a user's process can use or a value of -1 to specify unlimited for this attribute.

aix.data

Sets the soft limit for the size of a user’s data segment or a value of -1 to specify unlimited for this attribute

aix.rss

Sets the soft limit for the largest amount of physical memory a user's process can allocate or a value of ‑1 to specify unlimited for this attribute.

aix.stack

Sets the soft limit for the largest process stack segment for a user's process or a value of ‑1 to specify unlimited for this attribute.

aix.nofiles

Sets the soft limit for the number of file descriptors a user process can have open at one time or a value of ‑1 to specify unlimited for this attribute.

aix.umask

Determines file permissions for the user using a three-digit octal value such as 022.