Problem: Fix Missing Group Memberships - uniqueMember & memberUid

Knowledge Base Community
, , , , ,
1

Problem

In some cases, after assigning a user to a group, the group is not reflected in the portal cache /var/cache/univention-portal/groups.json. As a result, portal tiles associated with those groups are not displayed for the affected users.

Upon further investigation, it was found that the issue originates from incorrect group membership data in the cache directory located at:

/usr/share/univention-group-membership-cache/caches

Although UMC and UDM interfaces correctly show the user as a group member, the cache used to build the portal display fails to reflect these changes, causing confusion and additional support load.

Root Cause

The cache used to generate the portal JSON does not include correct group membership information.

The memberUid attribute is often not populated correctly.

This results in an incomplete or incorrect portal display for the affected user.

Manually removing and re-adding the group memberships for each group does resolve the issue but is not feasible as a permanent solution, especially if many users or groups are affected.

Solution

1. Backup Existing Cache Files

Before making any changes, back up the existing cache files for safety:

cp -r /usr/share/univention-group-membership-cache/caches /root/group-membership-cache-backup

2. Rebuild Group Membership Cache

Attempt to rebuild the group membership cache:

/usr/share/univention-group-membership-cache/univention-ldap-cache rebuild

⚠ī¸ If the problem persists, proceed to the next step.

3. Check Group LDAP Attributes

Check whether the memberUid is missing for affected groups.
Example command:

univention-ldapsearch -b "cn=example-group,cn=groups,ou=SampleOU,dc=example,dc=com" | grep sample.user

If the output shows only:

uniqueMember: 
uid=sample.user,cn=teachers,cn=users,ou=SampleOU,dc=example,dc=com

...and missing:

memberUid: sample.user

Then memberUid is missing and needs to be corrected.

4. Automatically Sync memberUid Attributes

To automate the process of fixing memberUid inconsistencies, use the provided Univention tool:

Step 1: Dry-Run (Test Mode)

/usr/share/univention-directory-manager-tools/univention-sync-memberuid -t

Review the output to ensure the changes are as expected.

Step 2: Apply Changes

/usr/share/univention-directory-manager-tools/univention-sync-memberuid

This tool ensures that every uniqueMember entry has a corresponding memberUid. It also removes orphaned memberUid entries that lack a uniqueMember.

ℹī¸ Example:

    If uniqueMember exists but memberUid is missing → it will be added.

    If memberUid exists but uniqueMember is missing → it will be removed.

Check again:

univention-ldapsearch -b "cn=example-group,cn=groups,ou=SampleOU,dc=example,dc=com" | grep sample.user

uniqueMember: uid=sample.user,cn=teachers,cn=users,ou=SampleOU,dc=example,dc=com
memberUid: sample.user

(Optional) Temporarily Remove and Re-Add User to the Group (Manual Fix)

You can fix the issue temporarily by removing and then re-adding the user to the affected group.
Example commands:

Remove user from group

udm users/user modify \ --dn "uid=sample.user,cn=teachers,cn=users,ou=SampleOU,dc=example,dc=com" \ --remove groups="cn=example-group,cn=groups,ou=SampleOU,dc=example,dc=com"

Re-add user to group

udm users/user modify \ --dn "uid=sample.user,cn=teachers,cn=users,ou=SampleOU,dc=example,dc=com" \ --append groups="cn=example-group,cn=groups,ou=SampleOU,dc=example,dc=com"

(Optional) Set Up Monitoring

1. Run a Diagnostic Test Using Provided Script

Use the built-in script to detect inconsistencies between memberUid and uniqueMember:

/usr/share/univention-directory-manager-tools/univention-sync-memberuid -t

This runs in test mode and prints out which groups would be modified, without making changes.

Output is also written to:

/var/log/univention/sync-memberuid.log

2. Set Up Monitoring via Cron Job

You can automate this check and receive alerts via email when mismatches are detected.
Example Cron Script:

#!/bin/bash

OUTPUT=$(/usr/share/univention-directory-manager-tools/univention-sync-memberuid -t)

if echo "$OUTPUT" | grep -q "^Group:"; then
    echo "$OUTPUT" | mail -s "Detected memberUid inconsistency" admin@example.com
fi

Save this as make it executable:

  • /usr/local/sbin/check-memberuid.sh
  • chmod +x /usr/local/sbin/check-memberuid.sh

Add to cron, e.g., to check daily at 01:00 AM:

echo "0 1 * * * root /usr/local/sbin/check-memberuid.sh" >> /etc/crontab

3. Fix Detected Inconsistencies

After confirming with test mode, run the following to automatically fix all detected issues:

/usr/share/univention-directory-manager-tools/univention-sync-memberuid

1 Like