Zone attributes in standard hierarchical zones

The zone object class is stored as a container object. The common name (cn) of the object must be set to the zone name. Most of the other attributes for a zone are stored as pseudo‑attributes using the Active Directory description attribute. The following table summarizes how zone attributes are stored in Active Directory for hierarchical Centrify zones.

Zone attribute Stored in Active Directory attribute Inherited

ZoneName

cn:ZoneName

For example:

cn:global

No

Description

description:description:value

For example:

description:description:Pilot-NA

No

AvailableShells

description:availableshells:shell1:shell2

For example:

description:availableshells:/bin/sh

Yes

DefaultShell

description:defaultshell:value

or

description:defaultshell:%{shell}

For example:

description:defaultshell:/bin/bash

Yes

DefaultHomeDirectory

description:defaulthome:value

or

description:defaulthome:%{home}/%{user}

For example:

description:defaulthome:/nfs/jsmith

Yes

UserDefaultGecos

description:defaultgecos:${u:cn}

For example:

description:defaulttgecos:${u:upn}

Yes

customVariable

description:%variablename:value

One for each variable. For example:

description:%admin:sAMAccountName

Yes

ReservedUids

description:uidreserved:value

This attribute can be a multi-valued list, using a colon as the separator. Values can be individual numbers or a range of numbers separated with a dash character (‑).

For example:

description:uidreserved:0-99:501

Yes

ReservedGids

description:gidreserved:value

This attribute has the same format as the reserveduids attribute. For example:

description:gidreserved:1000-2500

Yes

UserDefaultUid

description:defaultuid:value

Set value to ${uidnext} to use the zone’s cram attribute uidnext. The cram attribute is where the key-value pairs ("name:value") are stored.

Set value to ${autosid} to generate the UID from the domain SID and user RID.

For example:

description:defaultuid:${autosid}

Yes

DefaultGroup

description:defaultgid:value

Set value to -1 to use private groups.

For example:

description:defaultgid:12098

Yes

UserDefaultName

description:username:${u:sAMAccountName}

Yes

UserDefaultRole

description:defaultrole:role-name

Yes

GroupDefaultGid

description:defaultgroupgid:value

Set value to ${gidnext} to use the zone’s cram attribute gidnext in classic zones.

Set value to ${autosid} to generate the GID from the domain SID and group RID in hierarchical zones.

For example:

description:defaultgid:${autosid}

Yes

GroupDefaultName

description:groupname:${g:CN}

Yes

NISDomain

description:nisdomain:name

Yes

Schema

description:schema:name

Possible values are:

  • CDC_RFC_2307 (for a classic RFC 2307 zone)
  • CDC_GENERIC (for a classic Centrify zone)
  • SFU_3_0 (For a classic SFU-compliant R2 schema zone)
  • SFU_3_0V1 (For a classic SFU-compliant zone)

For example:

description:Cchema:DC_GENERIC

No

AgentlessAttribute

description:pwsync:attributeName

For example:

description:pwsync:msSFU30Password

Yes

Licenses

description:license:guid

Yes

SFUDomain

description:alternateDomain:domain.name

This is a multi-value attribute. Multi-value attributes are possible because the keyword and value are combined, making each line of the description-keyword string unique.

Yes

Parent

description:parentLink:MS-GUID@DOMAIN.NAME

For example:

samAccountName@domain.name[:N]: "joe@ajax.com"

No

objectType

displayName=$CimsZoneVersionnumber

where the zone version number can be:

  • $CimsUserVersion4 for a Centrify zone
  • $CimsUserVersion5 for a RFC 2307 zone

No