Your extreme solutions are, well, a bit extreme for this case! I think I'll just come up with a work-around. Here's my situation: I'm building an intranet application that uses Active Directory for authentication, but I also need to mirror user information and application permissions in a relational database. The reason for this is that records in the database are tied to users. The data needs to be kept for "historical" reasons--if a AD user is deleted (when the user leaves the organization, etc), I still want to be able to associate information such as the user's name, etc., with the record (without de-normalizing the database). So, I'm mirroring user info in the database. I'd hoped to be able to pull the objectGUID from AD (via cfldap) to use as a unique identifier in the database. But ColdFusion doesn't seem to want me to do this. The back-up plan is to use another value, like SAMAccountname, as a unique identifier. But this too has problems: the AD account "knelson" could be deleted, and another account could be created for an entirely different individual, but also called "knelson." So now my app thinks these two individuals are the same. True, this is a remote possibility, but I'd still like to find a better way to ensure data integrity. Karl Gilles Vincent writes: >A really extrem solution should consist in 'rewriting' the LDAP protocol >so >that to manage binary results ie. 'just' calling an external Java class >like >this one : http://www.openldap.org/jldap/ >or writing a cfx ldap client adapted from the OpenLDAP C sources >(all openldap sources are available for download here : >http://developer.novell.com/ndk/downloadaz.htm ) >..hard work , I guess.. :( > >An other solution should consist in using a redondant index in an external >join table, associating the pseudo-binary ldap query result to a numeric >index (a complete initialisation and a series of triggers managing this >join >table could help, also).. >looks bad, but who maters ? > >Any other idea ?