Problem: Check failed 904 ucsschool remove from school consistenceny

Knowledge Base Community
, , ,
#1

Problem:

Check failed: 904_ucsschool_remove_from_school_consistenceny - UCS@school Group Consistency

Investigation:

The output may look like this:

The following problems were found:
cn=sun-10d,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me
   - uid=sarah.conn,cn=schueler,cn=users,ou=sun,dc=schein,dc=me has no ucsschoolRole, but is in group

Now you should first check, if the user already has its ucsschoolRole:

univention-ldapsearch -LLL uid=sarah.conn univentionObjectType ucsschoolRole
dn: uid=sarah.conn,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
univentionObjectType: users/user
ucsschoolRole: student:school:sun

and if the group already has the ucsschoolRole

univention-ldapsearch -LLL cn=sun-10d ucsschoolRole
# sun-10d, klassen, schueler, groups, sun, schein.me
dn: cn=sun-10d,cn=klassen,cn=schueler,cn=groups,ou=sun,dc=schein,dc=me
ucsschoolRole: school_class:school:sun

# sun-10d, klassen, shares, sun, schein.me
dn: cn=sun-10d,cn=klassen,cn=shares,ou=sun,dc=schein,dc=me
ucsschoolRole: school_class_share:school:sun

If this looks okay, you can check like the diagnostic tool:

univention-ldapsearch '(ucsschoolRole=*)' dn | grep sarah.conn

In this case we do not get a search result! But with the next one

univention-ldapsearch '(ucsschoolRole=s*)' dn | grep sarah.conn
# sarah.conn, schueler, users, sun, schein.me
dn: uid=sarah.conne,cn=schueler,cn=users,ou=sun,dc=schein,dc=me

It looks like the attributes on the user objects are not in the index of the ldap, so the check does not find these users in the right groups even though everything is correct.

Solution:

You can now have the indexes created again. This can take a little longer in larger environments.

ucr set ldap/database/mdb/envflags=nosync
systemctl restart slapd

Then the value is accepted.
Now turn off the ldap for safety.

systemctl stop slapd

Gladly check that the process is gone.
ps aufx |grep slapd
Then
slapindex

Like I said, this may take some time. Then

ucr unset ldap/database/mdb/envflags
systemctl start slapd

Bonus

You can run the check on the console manually as root:

python /usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/904_ucsschool_remove_from_school_consistenc
eny.py
Problem: User cannot login anymore via ssh and terminalserver
#2
Mastodon