How-to: Handle s4-connector rejects

How-to: Handle s4-connector rejects

What are rejects?

Every change in openldap or samba is transferred to the other system by the s4-connector and kept in sync.

By changes we mean, for example, changing a first name, last name or phone number.

s4-connector rejects occur when such changes cannot be synchronized for various reasons.

How to deal with rejects?

You can use the following command to have a look at the current S4-Connector replication status:

root@example:~# univention-s4connector-list-rejected

UCS rejected


S4 rejected


There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.


	last synced USN: 4223
root@example:~# 
  • UCS rejected refers to object modifications that have been detected in UCS/OpenLDAP and could not be synchronized to the Samba/AD directory service.
  • S4 rejected on the other hand refers to object modifications that have been detected in Samba/AD and could not be synchronized to the UCS/OpenLDAP directory service.

If you see rejected objects in the output it is recommended to have a look at the relevant log files to determine the reason for the reject which in this case is /var/log/univention/connector-s4.log

In most cases you will find a corresponding traceback which you can hand over to your supporter if in doubt.
If the shown reason is not obvious (or not accurate) it could be suggestive to compare the rejected object in Samba 4 and LDAP. You can use the following commands:

root@dc1:~# univention-ldapsearch -b "objectdn"
root@dc1:~# univention-s4search -b "objectdn"

for example:

# User
univention-ldapsearch -b "uid=administrator,cn=users,dc=domain,dc=de"
univention-s4search -b "cn=administrator,cn=users,dc=domain,dc=de"

# DNS
univention-ldapsearch -b "relativeDomainName=_ldap_tcp,zoneName=domain.de,cn=dns,dc=domain,dc=de"
univention-s4search -b "dc=_ldap._tcp.DomainDnsZones,DC=domain.de,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=de" --cross-ncs

If the objects are equal and you are sure about this, the reject perhaps is already resolved. This can happen if discrepancies are resolved apart from the connector. In these cases the rejects can be removed. This could also be the case if you removed unwanted objects with ldbdel for example.

Remove rejects

Rejects are saved in a sqlite database. Therefore you have to remove the rejects in the database.

Remove S4 reject:

root@master:~# /usr/share/univention-s4-connector/remove_s4_rejected.py CN=Administrator,CN=Users,DC=example,DC=ucs

Remove UCS/LDAP reject:

root@master:~# /usr/share/univention-s4-connector/remove_ucs_rejected.py uid=Administrator,cn=users,dc=example,dc=ucs

Trigger resync

You can also try to sync changes from one directory service to the other - for example trigger a resync from one Samba/AD object to OpenLDAP.

S4 resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_s4.py --filter cn=Administrator
resync triggered for CN=Administrator,CN=Users,DC=example,DC=ucs
Estimated sync in 50 seconds.

UCS resync:

root@master:~# /usr/share/univention-s4-connector/resync_object_from_ucs.py --filter uid=Administrator
resync triggered for uid=Administrator,cn=users,dc=example,dc=ucs

What can I do if this article didn’t help?

In case you can not resolve the rejects in this way you can check this article or open a ticket at our support (enterprise subscription needed)

2 Likes