Skip to Content
avatar image
Former Member

SAP IDM read objectguid from Active Directory

Hi everyone,

with our SAP IDM, I am trying to read the objectguid from groups and users from the Active Directory, but for users I get only a string of symbols and for groups a NULL result. I guess this has to do with the objectguid being an octet string, but I have not yet found a way to read it properly. I read in some blogs that using a script could help, maybe someone could post his/her solution? I would be very grateful!!



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Dec 14, 2016 at 10:27 AM

    Hi Lisa,

    yes, it is possible via script. We are using the following

    function l_ad_hex2guid(Par){
        //Script creates from AD hex value the ObjectGUID
        //Input Example: {HEX}CC9AB70C2E2F8A4899E09AC6F1767C78
        //Output Example: 0CB79ACC-2F2E-488A-99E0-9AC6F1767C78
        var hex = Par;
        var hex1, hex2, hex3, hex4, hex5, guid = '';
        hex1 = hex.substr(-26, 2) + hex.substr(-28, 2) + hex.substr(-30, 2) + hex.substr(-32, 2);
        hex2 = hex.substr(-22, 2) + hex.substr(-24, 2);
        hex3 = hex.substr(-18, 2) + hex.substr(-20, 2);
        hex4 = hex.substr(-16, 4);
        hex5 = hex.substr(-12, 12);
        guid = hex1 + '-' + hex2 + '-' + hex3 + '-' + hex4 + '-' + hex5;
        return guid;

    Important: You have to put a "!" before the "objectGUID" in the source column of destination tab of the "FromLDAP" pass (please see attachment).

    Hope this will help!


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 19, 2017 at 06:27 AM

    Hi Michael, hi Matt,

    thank you so much for your help and sorry for my late reply, somehow I did not get notified that there were replies to my question! So thank you for the late Christmas gift :)

    Michaels script works perfectly fine. I can now read the guid from users and groups (the reason why I got a NULL result for the groups first was, because the attribute was not added in the LDAP search string....). Now I can continue to try and set all group mskeyvalues to include the guid, so that changes in group names do not affect our IDM anymore. Wish me luck!

    Kind regards


    Add comment
    10|10000 characters needed characters exceeded