Cannot join DC slave to a UCS domain

I have installed a new server as DC slave, however the Univention-join command fails.

From /var/log/univention/join.log

Starting slapd (via systemctl): slapd.service.

  • echo -e ‘\033[60Gdone’
  • echo -n 'Search LDAP binddn ’
    ++ sed -ne ‘s|^DN: ||p’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local /u$
  • binddn=
  • ‘[’ -z ‘’ ‘]’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
    ++ ldapsearch-wrapper
    ++ ldapsearch-decode64
    ++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
    ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
  • binddn=
  • ‘[’ -z ‘’ ‘]’
    ++ univention-ssh /tmp/tmp.NCm1DXfPyr/dcpwd Administrator@ucspdc.sunhut.local ld$
    ++ ldapsearch-wrapper
    ++ ldapsearch-decode64
    ++ sed -ne ‘s|^dn: ||p;s|^DN: ||p’
    Insufficient access (50)
  • binddn=
  • ‘[’ -z ‘’ ‘]’
  • failed_message 'binddn for user Administrator not found. ’
  • echo ‘’
  • echo ‘’
  • echo '************************************************************************$
  • echo '* Join failed! $
  • echo '* Contact your system administrator $
  • echo '************************************************************************$
  • echo '* Message: binddn for user Administrator not found. ’
  • echo '************************************************************************$
  • exit 1

Is Administrator member of DC Backup Hosts and is /etc/ldap.secret readable for the group DC Backup Hosts?

root@master421:~# udm groups/group list --filter cn=“DC Backup Hosts” | grep -i Administrator
users: uid=Administrator,cn=users,dc=deadlock42,dc=intranet
root@master421:~# ls -la /etc/ldap.secret
-rw-r----- 1 root DC Backup Hosts 20 Mai 26 13:22 /etc/ldap.secret

root@ucspdc:~# udm groups/group list --filter cn="DC Backup Hosts" | grep -i Administrator
  users: uid=Administrator,cn=users,dc=sunhut,dc=local
root@ucspdc:~# ls -la /etc/ldap.secret
-rw-r--r-- 1 root DC Backup Hosts 20 nov 14  2015 /etc/ldap.secret

I am able to login to the dcmaster using following command:

univention-ssh passwordfile Administrator@sunhut.local

Running following command on DC master generates this error

root@ucspdc:~# /usr/sbin/udm users/user list --filter uid=Administrator

Traceback (most recent call last):
File “/usr/share/univention-directory-manager-tools/univention-cli-server”, line 218, in doit
output = univention.admincli.admin.doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/”, line 398, in doit
out = _doit(arglist)
File “/usr/lib/pymodules/python2.7/univention/admincli/”, line 991, in _doit
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/users/”, line 1496, in open
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/”, line 700, in open
self.call_udm_property_hook(‘hook_open’, self)
File “/usr/lib/pymodules/python2.7/univention/admin/handlers/”, line 692, in call_udm_property_hook
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/”, line 83, in hook_open
for k, v in self.ox_defaults(module.lo, module.position).items():
File “/usr/lib/pymodules/python2.7/univention/admin/hooks.d/”, line 67, in ox_defaults
cls._ox_defaults[attr] = attr_m[0].info[‘default’]
KeyError: ‘default’


please run:
univention-ldapsearch -LLL -b "cn=open-xchange,cn=custom attributes,cn=univention,$(ucr get ldap/base)" '(|(cn=oxAccess)(cn=oxDisplayName)(cn=oxLanguage)(cn=oxTimeZone))' univentionUDMPropertyDefault

The result should be four LDAP objects with an univentionUDMPropertyDefault property each:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: de_DE

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault: Europe/Berlin

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,...
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==

If one is missing or empty, please rerun the OX join script:
univention-run-join-scripts --run-scripts --force 65univention-ox.inst
Then check again (univention-ldapsearch -LLL ...).

Daniel Tröder

My OX installation got corrupted while moving the VM so possibly I should remove all OX instances in the LDAP directory.

However this is the result of your suggestion:

dn: cn=oxAccess,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut,d
univentionUDMPropertyDefault: premium

dn: cn=oxLanguage,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut

dn: cn=oxTimeZone,cn=open-xchange,cn=custom attributes,cn=univention,dc=sunhut
univentionUDMPropertyDefault: Europe/Stockholm

dn: cn=oxDisplayName,cn=open-xchange,cn=custom attributes,cn=univention,dc=sun
univentionUDMPropertyDefault:: PGZpcnN0bmFtZT4gPGxhc3RuYW1lPg==

oxLanguage is missing.
Have you run the join script?

My OX installation is corrupt so I cannot run the OX join script. I plan to reinstall OX to the machine I want to join to the domain.

I removed all references to OX in LDAP and that resolved the “binddn for user Administrator not found” error.
I am now stuck on “FAILED: failed.ldif exists” error.

I set up a new UCS master domainserver in a new domain and still the message appears.

I am lost

I’m not sure I understand correctly:

  • You installed a new UCS DC master from DVD?
  • With no connection or data from the old one?
  • At some point you got FAILED: failed.ldif exists? When/Doing what?

I have a new UCS KVM server that I want to connect to a UCS domain.
My first attempt to join the server to the UCS domain resulted in the “binddn for user Administrator not found” error. I subsequently removed all references to OX from LDAP (old OX installation appeared to be the culprit). This resolved the original error but I now got the “FAILED: failed.ldif exists” error.
Now I set up a brand new UCS master domain server using the VM image to test but but still got the “FAILED: failed.ldif exists” error when joining the UCS KVM server.There is no connection to the old domain.
I did remove the failed.ldif file but the error persists.

Both servers are now fresh installs, one from the ISO image and the other from the VM image. None of the servers have been customized or altered.

Good afternoon bhagert,

we need more log files info from the client i.e DC slave machine.




Problem resolved. I did a reinstall of the KVM server