[title]: # (SFU-Compliant Zones (3.5)) [tags]: # (windows api) [priority]: # (1)

Classic SFU-Compliant Zones (version 3.5)

If you have the Microsoft Services for UNIX (SFU) schema extension installed, you have the option of using SFU-compliant zones for storing data. With SFU-compliant zones, UNIX-specific attributes for users and groups are stored in the actual Active Directory user and Active Directory group objects, using attributes in Microsoft Services For UNIX (SFU) schema extension.

The schema extension must be already be installed in the forest. You cannot create SFU-compliant zones if the schema extension is not installed.

Unlike standard IBM Security zones, where a single Active Directory user can have multiple UNIX profiles, a single Active Directory user can only exist in one SFU zone because there is only one set of attributes in the Active Directory user object. A single user can, however, be in any number of IBM Security zones and zero or one SFU zone.

The structure of the zone and its sub-containers is the same as the classic IBM Security zone layout, with each zone stored as a separate tree in the directory and sub-containers for the Users, Groups, and Computers in each zone, but only the Computers sub-container is used.

Unlike classic IBM Security zones, in which UNIX attributes are stored in the serviceConnectionPoint objects, the SFU zones store UNIX attributes in the User and Group objects and use attributes provided by the SFU schema extension.