--- univention-s4-connector/modules/univention/s4connector/s4/__init__.py	2012-02-01 16:07:01.000000000 +0100
+++ univention-s4-connector/modules/univention/s4connector/s4/__init__.py	2012-02-01 17:23:58.000000000 +0100
@@ -39,6 +39,8 @@
 import univention.debug2 as ud
 from ldap.controls import LDAPControl
 from ldap.controls import SimplePagedResultsControl
+from samba.ndr import ndr_unpack, ndr_pack
+from samba.dcerpc import security
 
 # page results
 PAGE_SIZE=1000
@@ -416,8 +412,13 @@
 def encode_object_sid(sid_string, encode_in_base64=True):
     binary_encoding = ""
 
-    for i in sid.split("-")[1:]:
-        j = int(i)
+    ## equivalent of encode_sid above
+    vlist = sid_string.split("-")[1:]
+    binary_encoding += chr(int(vlist[0])) + chr(len(vlist)-2) + chr(0) + chr(0)
+    binary_encoding += chr(0) + chr(0) + chr(0) + chr(int(vlist[1]))
+
+    for i in range(2,len(vlist)):
+        j = int(vlist[i])
 
         oc1 = (j >> 24)
         oc2 = (j - (oc1 * (2 << 23))) >> 16
@@ -2016,7 +1850,11 @@
 					for attr,value in object['attributes'].items():
 						for attribute in self.property[property_type].attributes.keys():
 							if self.property[property_type].attributes[attribute].con_attribute == attr:
-								addlist.append((attr, value))
+								if attr == 'objectSid':
+									objectSid = ndr_pack(security.dom_sid(value[0]))	# or encode_sid
+									addlist.append((attr, objectSid))
+								else:
+									addlist.append((attr, value))
 							if self.property[property_type].attributes[attribute].con_other_attribute == attr:
 								addlist.append((attr, value))
 				if hasattr(self.property[property_type], 'post_attributes') and self.property[property_type].post_attributes != None:
@@ -2036,7 +1871,26 @@
 								else:
 									modlist.append((ldap.MOD_DELETE, attr, None))
 
-				self.lo_s4.lo.add_s(compatible_modstring(object['dn']), compatible_addlist(addlist)) #FIXME encoding
+				ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: addlist: %s" % addlist)
+				## compatible_addlist runs decode('latin1').encode('utf8')
+				## which is not correct at least for binary values
+				## the following codeblock skips recoding for self.lo_s4.decode_ignorelist:
+				encoding='utf8'
+				encoded_addlist=[]
+				for attr, values in addlist:
+					if hasattr(attr,'encode'):
+						newattr=attr.encode(encoding)
+					else:
+						newattr=attr
+					if not attr in self.lo_s4.decode_ignorelist:
+						if type(values) == type([]):
+							encoded_addlist.append((newattr, encode_list(values, encoding)))
+						else:
+							encoded_addlist.append((newattr, encode_list(values, encoding)))
+					else:
+						encoded_addlist.append((newattr, values))
+
+				self.lo_s4.lo.add_s(compatible_modstring(object['dn']), encoded_addlist) #FIXME encoding
 
 				if property_type == 'group':
 					self.group_members_cache_con[object['dn'].lower()] = []