Folks,
I've been grappling with this for a while, I really hope someone knows the answer.
Basically I want to be able to synchronize a Documentum user store with an Active Directory. All is fine with the overall execution of the LDAP Server Configuration wizard except we want to be able to pull in the value of the "objectSid" property from Active Directory, whose data type is binary, not string.
(I see that Documentum pulls in the object guids from Active Directory -- unfortunately, that is not the value I need as a UUID for my principals).
I see several issues, which I've not been able to resolve:
A. There doesn't appear to be a way in the wizard to specify a custom property you want to map to something in your LDAP. Is there a way to work around that? I see some bits and pieces in various posts of people modifying the records that the LDAP config job generates; is there a comprehensive sample which can tell me how to do this? Or at least an overall strategy?
B. Assuming that I can resolve point A, how do I get at the binary value for the SID once it's been synchronized into Documentum as some property? It appears that IDfAttr in DFC supports the following data types: DM_BOOLEAN, DM_INTEGER, DM_STRING, DM_ID, DM_TIME, DM_DOUBLE, and DM_UNDFINED. Would my new property be of type ID?
I have tried mapping the "description" property to "objectSid" but the values I get appear to be garbled (?)
For instance, one user's SID is: S-1-5-21-4112652463-876604200-4162877736-689911. The raw binary data is as follows:
-17 -65 -67 24 34 -17 -65 -67 40 -17 -65 -67 63 52 40 121 32 -17 -65 -67 -17 -65 -67 -17 -65 -67
Note that while this sequence is 28 bytes as a SID is supposed to be, the first byte is not the value of 1 (SID protocol version) so that's already invalid for SID data. I've also gotten similar sequences for other principals, all with similar data (lots of -17 -65 -67 repeated) and not always of length of 28.
I'd appreciate any suggestions, pointers, comments.
Thanks.
