A user or group was deleted and then recreated.
When the user or group is recreated a new objectSid is assigned. This can cause issues with user profiles, rights, and applications.
If the old objectSid is known, it can be restored using the following method.
Many times the SID can be found by looking at a properties of folder | Security tab. Instead of listing the user name the SID is listed. This is because the object can not be resolved by SID.
In this example the SID will be S-1-5-21-1492677929-201335990-300129047-1020
First convert the SID to base64. This can be done on the DSfW server using the sidToBase64.pl script
Now create a ldif file for the user or group in question.
For this example we will restore a group called teachers.
Replace the dn: and objectSid:: with the correct values for your object.
Note: after obectSid there are two colons, objectSid::
Now use ldapmodify on the DSfW server to apply the changes. The file name for this example will be teachers.ldif
Note: The EXTERNAL or GSSAPI or GSSSPNEGO methods must be used to apply this change. iManager or using ldapmodify with simple bind will not work.
/usr/bin/ldapmodify -Y EXTERNAL -f teachers.ldif
To verify the objectSid has been modified do a ldapsearch
ldapsearch -Y EXTERNAL cn=teachers objectSid
To convert the objectSid from base64 to a readable SID do:
Format for ldif to replace objectSid
Command to convert SID to ldap format (base64)
Command to convert ldap format (base64) objectSid to SID
/opt/novell/xad/share/dcinit/base64ToSid.pl <base64 value of objectSid>
For more information on ldapsearch for DSfW see TID 7003070
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.