Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2042: How to set GECOS attribute in Centrify

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to:
All versions of Centrify DirectControl 4.4.3 and above
This configuration parameter specifies the Active Directory user object attribute to use for the GECOS field. The default value for this parameters is the gecos attribute in the Active Directory RFC2307 schema.
If this configuration parameter is set, the user attribute it specifies is used for the GECOS field in UNIX profiles and NSS lookups. If this configuration parameter is not defined or the Active Directory RFC2307 schema is not used, the user object’s displayName attribute is used as the GECOS field for UNIX profiles. If you set this configuration parameter, the parameter value is case-sensitive and must exactly match the case used for the attribute name in Active Directory. 
For example:
nss.gecos.attribute: displayName
How does this work? After making the GECOS attribute change in ADSIedit, it is noticed that the changes do not go into effect until Centrify is restarted. Is there any reason?
In the current code (4.4.3),  the below parameter 
nss.gecos.attribute: <attr>
adclient.custom.attributes.user: <attr>
allows customer to specify any string attribute from the AD user object to be used as GECOS. However, the string attribute can only come from the AD user object.  There is no such support for the service-connection-point record that we use to represent the zone-enabled user.
Please follow the below steps:
1) On the Centrify Unix server where the desired GECOS field is needed, navigate to  /etc/centrifydc and remove any attributes that you may have set for the following:
a) nss.gecos.attribute: <attr>
b) adclient.custom.attributes.user: <attr>
(Note: If AD user "gecos" attribute is set, this IS the default if not empty. Only when this attribute is NOT set, Centrify will go down the sequence and tries the next which is displayName).
2) Use Microsoft's  Adsiedit tool and locate the (real) user object, set the gecos attribute to what you want.
3) On the Centrify unix server, run adreload, and adflush -f and restart Centrify.
then adquery user <user> see if the GECOS is correct.
"gecos" is an RFC2307 attribute that is part of W2008R2 schema and so it will see this attribute.
Note: Future releases of software will ensure that the attribute list is refreshed after adreload requiring no restart of Centrify. 

For additional information on how to set custom attributes, please see below KB.
KB-4834: ​How to set custom attributes in Centrify