Should we use ntSid or objectSID?
Andrew Bartlett
abartlet at samba.org
Wed Apr 30 08:46:41 GMT 2003
It has been brought to my attention that there is already an established
standard for storing SIDs - the 'objectSID' from Active Directory.
Using existing syntax is considered 'good form' in LDAP, so there are
very good reasons to use that, rather than ntSID
The problem is, that format of the SID is a binary string - it's a real
pain to manipulate with text tools. (ntSID is simply a text string)
That said, moving closer to active directory attributes could be very
handy - we have other attribute naming clashes already, perhaps it is
time to get closer to that schema? Using an LDAP based IDMAP on an
Active Directory server is a very interesting idea.
The other option is slapi search rewriting - when it's an OpenLDAP
server, can can think that the database has one format, but the slapi
plugin rewrites it to another... But that won't help unless via proxy.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030430/7ef82e0d/attachment.bin
More information about the samba-technical
mailing list