Since AIX will not dereference member=uid=someone,cn=accounts,... all other non primary groups get lost. In this case, using the standard 2307group.map and the compat tree for groups works as expected (all groups the user belongs to, are found). The userclasses parameter can be the default.

Author: Rui Miguel Silva Seabra

src/page/ConfiguringAixClients.rst

@@ -500,15 +500,6 @@ Under /etc/security/ldap create 2 new map files:
       spassword       SEC_CHAR        userpassword            s
       lastupdate      SEC_INT         shadowlastchange        s
 
-..
-
-::
-
-      #IPAgroup.map file
-      groupname       SEC_CHAR    cn                    s
-      id              SEC_INT     gidNumber             s
-      users           SEC_LIST    member                m
-
 ..
 
     | Change the /etc/security/ldap/ldap.cfg file and set the relevant options as follow.
@@ -518,12 +509,10 @@ Under /etc/security/ldap create 2 new map files:
 ::
 
    userbasedn:cn=users,cn=accounts,dc=example,dc=com
-   groupbasedn:cn=groups,cn=accounts,dc=example,dc=com
+   groupbasedn:cn=groups,cn=compat,dc=example,dc=com
 
    userattrmappath:/etc/security/ldap/IPAuser.map
-   groupattrmappath:/etc/security/ldap/IPAgroup.map
-
-   userclasses:posixaccount
+   groupattrmappath:/etc/security/ldap/2307group.map
 
 5. Start the ldap client daemon.