DSfW: How to restore a user or group objectSid

  • 7014837
  • 02-Apr-2014
  • 02-Apr-2014

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Domain Services for Windows
DSFW

Situation

A user or group was deleted and then recreated.
When the user or group is recreated a new objectSid is assigned.  This can cause issues with user profiles, rights, and applications.
If the old objectSid is known, it can be restored using the following method.

Resolution

Many times the SID can be found by looking at a properties of folder | Security tab.  Instead of listing the user name the SID is listed.  This is because the object can not be resolved by SID.

In this example the SID will be S-1-5-21-1492677929-201335990-300129047-1020

First convert the SID to base64.  This can be done on the DSfW server using the sidToBase64.pl script

/opt/novell/xad/share/dcinit/sidToBase64.pl S-1-5-21-1492677929-201335990-300129047-1020
Returns: AQUAAAAAAAUVAAAAKXX4WLYkAAwXm+MR/AMAAA==

Now create a ldif file for the user or group in question.
For this example we will restore a group called teachers.

dn: cn=teachers,dc=dsfw,dc=lan
changetype:modify
replace:objectSid
objectSid:: AQUAAAAAAAUVAAAAKXX4WLYkAAwXm+MR/AMAAA==

Replace the dn: and objectSid:: with the correct values for your object.
Note: after obectSid there are two colons, objectSid::
  
Now use ldapmodify on the DSfW server to apply the changes.  The file name for this example will be teachers.ldif
Note: The EXTERNAL or GSSAPI or GSSSPNEGO methods must be used to apply this change.  iManager or using ldapmodify with simple bind will not work.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapmodify -Y EXTERNAL -f teachers.ldif

To verify the objectSid has been modified do a ldapsearch
Example:
ldapsearch -Y EXTERNAL cn=teachers objectSid

returns:
dn: cn=teachers,dc=dsfw,dc=lan
objectSid:: AQUAAAAAAAUVAAAAKXX4WLYkAAwXm+MR/AMAAA==

To convert the objectSid from base64 to a readable SID do:
/opt/novell/xad/share/dcinit/base64ToSid.pl AQUAAAAAAAUVAAAAKXX4WLYkAAwXm+MR/AMAAA==
Returns: S-1-5-21-1492677929-201335990-300129047-1020


Additional Information

Format for ldif to replace objectSid
dn: 
changetype:modify
replace:objectSid
objectSid::

Command to convert SID to ldap format (base64)
/opt/novell/xad/share/dcinit/sidToBase64.pl <SID>

Command to convert ldap format (base64) objectSid to SID
/opt/novell/xad/share/dcinit/base64ToSid.pl <base64 value of objectSid>

For more information on ldapsearch for DSfW see TID 7003070