[midPoint] using the AD SID to correlate

[Tom Seeley]

Hi,

<for context, I'm building a PoC using our AD as a source of users  
(instead of an HR system)>

When was going through the midpoint book (which is excellent btw), it  
occurred to me that it would be more 'correct' to correlate AD  
accounts with midpoint users via the AD sid.  Thus I extended the  
schema to include a new property in midpoint and stored the accounts  
AD SID in it.  This worked fine.

I was about to do the same thing with groups when it occurred to me  
that this might not be so smart, that it might have only worked for  
these users because they were created in AD and then imported to  
midpoint (ie the SID existed at the point of import).  If I need to  
reverse this in future (perhaps when we have a better HR system) would  
this still work?  ie HR system imports into midpoint which then tries  
to create an associated account in the AD, but the SID is generated by  
the AD thus no correlation is possible?

Thanks,

Tom.