Problem:
You get a traceback with ldap.INVALID_SYNTAX: {'desc': 'Invalid syntax', 'info': 'objectClass: value #0 invalid per syntax'}
Investigation:
- Check the objectClass declaration in the extended attributes, especially if they are selfcreated extended attributes.
- You can check what happend, before this behaviour occures, you can use ldapsearch to find last changes:
univention-ldapsearch -LLL '(&(modifyTimeStamp<=20250409000000Z)(modifyTimeStamp>=20250408080000Z)(!(objectClass=ucsschoolStudent))(!(objectClass=ucsschoolTeacher))(!(objectClass=ucsschoolStaff)))' 1.1 modifyTimeStamp |less
You may adjust the filter, if you do not have ucs@school, and of cause the timestamps needs adjustments.
- You can also check
univention-ldapsearch -LLL -b cn=custom attributes,cn=univention,$(ucr get ldap/base)
or via udm
udm settings/extended_attribute list |grep DN:
for changes.
- You can also increase the loglevel for udm-cli, if you are able to reproduce the error by creating a user via udm.
ucr set directory/manager/cmd/debug/level='4'; pkill -f cli-server; tail -f /var/log/univention/directory-manager-cmd.log
Solution:
You may have defined an extended attribute, which now requires conditions that are not given.
In this case the objectClass, defined in the extendet attribute is wrong, and by setting the attribute with default=1 it was mandatory to the userobject.
This is always very individual, so there is no concrete solution here. If an extendet attribute has been newly created, then this can be deactivated again by setting the default to 0.