Problem
A school with the organizational unit (OU) school123 cannot be used for import operations on the Primary Directory Node. The OU does not appear in the UMC, in the school modules, or in the LDAP directory browser.
When searching directly via command line:
univention-ldapsearch ou=school123
the OU can be found.
However, when using the filter applied by the importer:
univention-ldapsearch "(objectClass=ucsschoolOrganizationalUnit)"
Root Cause
The issue occurs only on the Primary Directory Node — the same search works correctly on other servers. This shows that the problem is not with the school object itself, but with an inconsistent LDAP index on the Primary. The school object exists, but due to the corrupted index it is not returned when filtering by objectClass=ucsschoolOrganizationalUnit.
Solution
The issue is caused by an inconsistent LDAP index on the Primary Directory Node. To fix this, the LDAP database should be backed up and the index rebuilt. This process also defragments and optimizes the database.
During these steps, the LDAP service will be unavailable. Depending on the database size, reindexing may take some time.
Steps
cd /var/lib/univention-ldap/
mkdir ldap-new
systemctl stop slapd.service
mdb_copy -c ldap/ ldap-new/
mv ldap ldap-backup && mv ldap-new ldap
chown -R openldap:openldap ldap
slapindex -v
systemctl start slapd.service
This procedure creates a clean backup, rebuilds the LDAP index, and ensures that all objects — including the affected school OU — are correctly searchable again.