How to change objectSid from LDAP

Diego Woitasen diego at
Sat Feb 1 17:44:04 MST 2014

 I'm trying to modify the objectSid of a group using python-ldap. I've
found that I need a server control to do it but doesn't work. The code
that I'm using:

        modlist = [ (ldap.MOD_REPLACE, 'objectSid', s3sid_packed) ]
        controls = [ LDAPControl(LDB_CONTROL_PROVISION_OID, criticality=0),
                LDAPControl(LDB_CONTROL_RELAX_OID, criticality=0) ]
        s4ldap.modify_ext_s(s4dn, modlist, serverctrls=controls,

I'm using the domain administrator to bind to the server.

The error that I get:

ldap.UNWILLING_TO_PERFORM: {'info': '00002035: samldb: objectSid must
not be specified!', 'desc': 'Server is unwilling to perform'}

Is there a way to do it? I know that it is not something to be done
usually, but trust me, I need it :)


Diego Woitasen
Linux and Open Source solutions architect at

More information about the samba-technical mailing list