Problem: cn=dns permissionDenied reject on a school slave


You get the following traceback on a fresh installed school slave:

25.07.2020 06:34:34.615 LDAP        (PROCESS): sync to ucs:   [     container] [    modify] u'cn=dns,dc=schulen,dc=ucs'
25.07.2020 06:34:34.699 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
25.07.2020 06:34:34.700 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/", line 1555, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/python2.7/dist-packages/univention/s4connector/", line 1299, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 650, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/", line 1327, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/python2.7/dist-packages/univention/admin/", line 897, in modify
    raise univention.admin.uexceptions.permissionDenied
root@master:~# univention-s4connector-list-rejected 

UCS rejected

S4 rejected
       1:   S4 DN: CN=dns,DC=schulen,DC=ucs
          UCS DN: cn=dns,dc=schulen,dc=ucs

There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.

        last synced USN: 79274


In most cases, if the container already exists on the slaves’ ldap you can remove the reject and retrigger the object.

/usr/share/univention-s4-connector/ CN=dns,DC=schulen,DC=ucs
/usr/share/univention-s4-connector/ cn=dns,dc=schulen,dc=ucs

This topic was automatically closed after 24 hours. New replies are no longer allowed.