Should we use ntSid or objectSID?

Andrew Bartlett abartlet at
Wed Apr 30 08:46:41 GMT 2003

It has been brought to my attention that there is already an established
standard for storing SIDs - the 'objectSID' from Active Directory. 
Using existing syntax is considered 'good form' in LDAP, so there are
very good reasons to use that, rather than ntSID

The problem is, that format of the SID is a binary string - it's a real
pain to manipulate with text tools.  (ntSID is simply a text string)

That said, moving closer to active directory attributes could be very
handy - we have other attribute naming clashes already, perhaps it is
time to get closer to that schema?  Using an LDAP based IDMAP on an
Active Directory server is a very interesting idea.

The other option is slapi search rewriting - when it's an OpenLDAP
server, can can think that the database has one format, but the slapi
plugin rewrites it to another...  But that won't help unless via proxy.

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list