Don't have a support contract, (still testing) can i report bugs

I made a number of posts about the Ad server getting “corrupted” by univention.

I think i know how it happens.

I had reported previously this error…

**29.07.2020 16:08:42.298 LDAP**        (PROCESS): **sync to ucs:   [          user] [       add]** uid=shawn.zheng,ou=leave user,dc=mirror-dx,dc=org,dc=dx1,dc=com
29.07.2020 16:08:43.632 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
29.07.2020 16:08:43.632 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/connector/", line 1326, in sync_to_ucs
    result = self.add_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/connector/", line 1146, in add_in_ucs
    return bool(ucs_object.create())
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 557, in create
    dn = self._create(response=response, serverctrls=serverctrls)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 1298, in _create
    six.reraise(exc[0], exc[1], exc[2])
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 1282, in _create
    self.lo.add(self.dn, al, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/", line 865, in add
    raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg)
ldapError: No such object

now the interesting thing to note here is:
the time stamp: 29.07.2020 16:08:42.298 LDAP
and the OU group object ou=leave user,

it is not until AFTER this error is thrown … that the group is added!!!, luckily, this was added just after the failure
but normally for other users it can be a significant time before this occurs.

29.07.2020 16:08:43.772 LDAP (PROCESS): sync to ucs: [ ou] [ add] OU=Leave user,dc=dx1,dc=org,dc=mirror-dx,dc=com


then we have:

29.07.2020 16:26:54.562 LDAP (PROCESS): sync from ucs: [ ou] [ add] ou=leave user,DC=dx1,DC=org,DC=mirror-dx,DC=com

Then this!!!

29.07.2020 16:32:26.385 LDAP (PROCESS): sync to ucs: Resync rejected dn: CN=shawn.zheng,OU=Leave user,DC=dx1,DC=org,DC=mirror-dx,DC=com
29.07.2020 16:32:26.404 LDAP (PROCESS): sync to ucs: [ user] [ add] uid=shawn.zheng,ou=leave user,dc=mirror-dx1,dc=org,dc=mirror-dx,dc=com


but the group data still has to be re-synced BACK to the AD server…

so basically:

  1. we tried to add a user to a non-existent group->fail
  2. we then randomly added the group->success
  3. we added some other users ->sucess
  4. The group gets synced BACK to the AD, minus the unprocessed records.
  5. Finally at a later time the user that failed gets synced back.

during this sync time the AD can potentially get corrupted due to groups being synced back minus their complete user & access rights.
on a large installation it can take unto an hour of backwards & forwards, before the system becomes synced
during this time if the mode is bi-directional, all sorts of things can be going on with users access & rights.