Problem: AD-Connector sync fails with "Can't initialize LDAP-Connections"

Problem:

In AD-Membermode (UCS is joined in Microsoft AD) the AD-connector stops synchronizing and /var/log/univention/connector-ad-status.log shows:

Warning: Can’t initialize LDAP-Connections, wait…

In a strace output you find
22:28:40.885180 sendto(8, "<35>Jul 15 22:28:40 python3: encoded packet size too big (813957120 > 16777215)", 79, MSG_NOSIGNAL, NULL, 0) = 79

Investigation:

The AD-Connection wizard sets the following ucr Variables, when uploading a certificate

ucr set connector/ad/ldap/ssl=yes ldap/sasl/secprops/maxssf=128 connector/ad/ldap/kerberos=true

Unsetting the ldap/sasl/secprops/maxssf variable causes exactly the Warning and strace messages.

Solution:

The ldap/sasl/secprops/maxssf variable has to be set on a value, recommended is 128.

ucr set ldap/sasl/secprops/maxssf=128
systemctl restart univention-ad-connector

Also, but not recommended workaround would be ucr set connector/ad/ldap/ssl=no and systemctl restart univention-ad-connector.