Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Get objectSID from AD (LDAP)

Go to solution
brandonbollin
Active Participant

on ‎2017 Sep 20 7:03 PM

0 Likes
4,151

Fellow experts,
I'm trying to create a From LDAP pass, or maybe even use the uGetUserSid internal function, to get the objectSID attribute from a given entry in my target repository. I'm not having any success with uGetUserSid but I was able to bring something back on the From LDAP pass method. Problem is, when I pull up the results that show up in the SQL temp table, it's all mumbo-jumbo. The attribute is stored in LDAP as a binary attribute so what comes into IDM isn't the pretty looking S-1-5-21-xxxxxx-xxxxx format you see when you look at the attribute in an LDAP browser or ADUC.

I looked through my environment to see if there was an SAP supplied global script that would convert the binary format to text but alas, nothing. Any suggestions?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
brandonbollin
Active Participant
‎2017 Sep 21 10:04 PM
0 Likes

With all respect and thanks to matt.pollicove, fellow Inventy team members were able to get a script to me that was developed for a different client that does the job. I need to make sure that it's not something proprietary that I'll get in trouble for posting but if I'm given the green light, I'll post the script.

Show replies
Show replies
former_member2987
Active Contributor
‎2017 Sep 25 5:08 PM

Thanks, Brandon. One thing I've learned is that when connecting to AD is the question, someone probably has either A) seen it before or B) knows an AD SysAdmin with the solution, and then it's just a matter of transposing into something our products can understand.

Looking forward to seeing what you folks have come up with. I'd also be interested in learning more about what the use case of why this attribute is so important. Always things to learn when it comes to how we use connected systems.

brandonbollin
Active Participant
‎2017 Sep 25 6:47 PM
0 Likes

The use case is simply that they want to use the SID as the account attribute in IDM. It's a unique, searchable attribute in AD and no matter the account's location in the OU structure, you can find the account via SID. Most companies I've worked with us the distinguishedName attribute and that's 90% OK to use but if an AD admin decided to move the account to another OU, that DN changes. SID will never change so IDM can never be detached from that account. That's the thinking anyway.

Ask a Question