Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > PowerScale OneFS User Mapping: Mapping Identities Across Authentication Providers > Adding the LDAP or NIS primary group to supplemental groups
When a PowerScale cluster is connected to Active Directory and LDAP, a best practice is to add the LDAP primary group to the list of supplemental groups. This best practice lets OneFS honor group permissions on files created over NFS or migrated from other UNIX storage systems. Although the following examples cite LDAP, the same practice holds when a PowerScale cluster is connected to both Active Directory and NIS.
By default, OneFS leaves the LDAP primary group, which is named stand in the following examples, off the supplemental groups list:
Isi auth mapping token --user york\\stand
User
Name: YORK\stand
UID: 100000
SID: S-1-5-21-1195855716-1269722693-1240286574-591111
ZID: 1
Zone: System
Privileges: -
Primary Group
Name: YORK\york_sh_udg
GID: 1000008
SID: S-1-5-21-1195855716-1269722693-1240286574-66133
Supplemental Identities
Name: YORK\sd-york space group
GID: 1000010
SID: S-1-5-21-1195855716-1269722693-1240286574-579109
Name: YORK\sd-york-group
GID: 1000011
SID: S-1-5-21-1195855716-1269722693-1240286574-475739
Name: YORK\sd-group
GID: 100001
SID: S-1-5-21-1195855716-1269722693-1240286574-169779
Name: YORK\domain users
GID: 1000009
SID: S-1-5-21-1195855716-1269722693-1240286574-513
Name: Users GID: 1545
SID: S-1-5-32-545
Name: sd-group2
GID: 100002
SID: S-1-22-2-100002
Because OneFS does not, by default, add the LDAP primary group to the supplemental groups, you should create a rule to add it. The following join rule fully unites the identities of a user with accounts in Active Directory and LDAP:
*\* &= *
After you implement the rule, OneFS includes the LDAP primary group in the supplemental identities list. As the last entry demonstrates, the stand group now appears in the list:
isi auth mapping token --user york\\stand
User
Name: stand
UID: 100000
SID: S-1-5-21-1195855716-1269722693-1240286574-591111
ZID: 1
Zone: System
Privileges: -
Primary Group
Name: YORK\york_sh_udg
GID: 1000008
SID: S-1-5-21-1195855716-1269722693-1240286574-66133
Supplemental Identities
Name: YORK\sd-york space group
GID: 1000010
SID: S-1-5-21-1195855716-1269722693-1240286574-579109
Name: YORK\sd-york-group
GID: 1000011
SID: S-1-5-21-1195855716-1269722693-1240286574-475739
Name: YORK\sd-group
GID: 100001
SID: S-1-5-21-1195855716-1269722693-1240286574-169779
Name: YORK\domain users
GID: 1000009
SID: S-1-5-21-1195855716-1269722693-1240286574-513
Name: Users
GID: 1545
SID: S-1-5-32-545
Name: sd-group2
GID: 100002
SID: S-1-22-2-100002
Name: stand
GID: 100000
SID: S-1-22-2-100000