The ldap.lua NSE library currently in SVN doesn't correctly handle the Active Directory objectSID attribute. Instead it attempts to perform additional asn.1 decoding on it. Attached is a patch that implements the correct conversion from bytes to the human readable string such as
If there aren't any issues or concerns I'll commit the code later this week.
This command was tested against a Windows 2012 R2 host functioning as a Active Directory Controller. The user had Domain Admin privileges and so should be able to access all attributes.
Screen output below as well as output to CSV file. The correct objectSID,