Im setting up two sd drivers to eventually migrate all the users from
one AD to the other.
For this to be successful I neet to synchronize the sidHistory and
objectsid from the old AD to sidHistory in the new AD.

objectsid is a single valued octet attribute and sidHistory is a
multivalued octet attribute.

Having created an aux-class with two attributes for objectsid and
sidHistory in eDir. If I syncronize, I can read the sid in cleartext in
the level 3 trace and for the objectsid in the "other" tab in iManager.
sidHistory is readable in the trace, it syncronizes fine to eDir but is
not seen in iManager. If I read the attributes with an ldap-browser it
looks strange (its an octet so no surprise) but what is strange is that
the two attributes look diffrent even thou in this case I wrote the same
source attribute (objectsid) to both destination attributes.

When I then try to synchronize sidHistory to the new AD the error is :
<status level="error" type="driver-general"
<ldap-err ldap-rc="50" ldap-rc-name="LDAP_INSUFFICIENT_RIGHTS">
<client-err ldap-rc="50"
<server-err>00000005: SecErr: DSID-031A1169, problem 4003
<server-err-ex win32-rc="5"/>

I'm using an account that is member of Domain Admins.


joakim_ganse's Profile: http://forums.novell.com/member.php?userid=6236
View this thread: http://forums.novell.com/showthread.php?t=343938