Problem:
In AD-Membermode (UCS is joined in Microsoft AD) the AD-connector stops synchronizing and /var/log/univention/connector-ad-status.log
shows:
Warning: Can’t initialize LDAP-Connections, wait…
In a strace output you find
22:28:40.885180 sendto(8, "<35>Jul 15 22:28:40 python3: encoded packet size too big (813957120 > 16777215)", 79, MSG_NOSIGNAL, NULL, 0) = 79
Investigation:
The AD-Connection wizard sets the following ucr Variables, when uploading a certificate
ucr set connector/ad/ldap/ssl=yes ldap/sasl/secprops/maxssf=128 connector/ad/ldap/kerberos=true
Unsetting the ldap/sasl/secprops/maxssf variable causes exactly the Warning and strace messages.
Solution:
The ldap/sasl/secprops/maxssf
variable has to be set on a value, recommended is 128.
ucr set ldap/sasl/secprops/maxssf=128
systemctl restart univention-ad-connector
Also, but not recommended workaround would be ucr set connector/ad/ldap/ssl=no
and systemctl restart univention-ad-connector
.