This may not work with future versions beyond UCS 4.x!
You might end up in a situation where a user seems to be part of a group even you just removed it. When trying to fix the group membership you’re told
memberUid: no such value.
A deeper look:
When looking closer at the group objects the user is supposed to be in, you discover that there are two attributes determining the group membership,
memberUid doen’t list the user in question,
You need to remove the attribute
uniqueMember still containing the user dn. Fortunately you don’t need to do this by hand; there is a script that checks and corrects all groups in your ldap.
root@ucs:~ # /usr/share/univention-directory-manager-tools/proof_uniqueMembers Checking if users are member of their primary group... Checked 70 posixAccounts, fixed 0 issues. Checking if group-members exist... Checked 91 posixGroups, fixed 0 issues.