This may not work with future versions beyond UCS 4.x!

Problem:

You might end up in a situation where a user seems to be part of a group even you just removed it. When trying to fix the group membership you’re told

memberUid: no such value.

A deeper look:

When looking closer at the group objects the user is supposed to be in, you discover that there are two attributes determining the group membership, memberUid and uniqueMember. While memberUid doen’t list the user in question, uniqueMember does.

Solution:

You need to remove the attribute uniqueMember still containing the user dn. Fortunately you don’t need to do this by hand; there is a script that checks and corrects all groups in your ldap.

root@ucs:~ # /usr/share/univention-directory-manager-tools/proof_uniqueMembers
Checking if users are member of their primary group...
Checked 70 posixAccounts, fixed 0 issues.
Checking if group-members exist...
Checked 91 posixGroups, fixed 0 issues.