Problem
After a server update on the backup LDAP server, both the slapd.service and univention-directory-listener.service failed to start. Additionally, no connection to the LDAP primary could be established.
Excerpt from /var/log/syslog:
2025-10-09T01:05:48.066053+02:00 def456 slapd[1050]: /etc/ldap/slapd.conf: line 274: unknown attr "@univentionFederatedAccount" in to clause
2025-10-09T01:05:48.215661+02:00 def456 slapd[1050]: slapd stopped.
2025-10-09T01:05:48.215681+02:00 def456 slapd[1050]: connections_destroy: nothing to destroy.
2025-10-09T01:05:48.228100+02:00 def456 slapd[941]: Starting ldap server(s): slapd ...failed.
2025-10-09T01:05:49.009682+02:00 def456 systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE
2025-10-09T01:05:49.009700+02:00 def456 systemd[1]: slapd.service: Failed with result 'exit-code'.
2025-10-09T01:05:49.009707+02:00 def456 systemd[1]: Failed to start slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Solution
The issue occurred because the backup server was updated before the primary LDAP server, resulting in the backup being on a newer UCS errata level than the primary:
# univention-app domain
primary:
UCS: 5.2-3 errata239
Installed:
Upgradable:
backup:
UCS: 5.2-3 errata248
Installed:
Upgradable:
LDAP schema handling differs slightly between primary and backup systems:
- The primary server includes schemas from
/var/lib/univention-ldap/local-schema/. - The backup server receives an identical schema copy through replication in
/var/lib/univention-ldap/schema.conf.
In this case, the new schema containing univentionFederatedAccount was only introduced starting with errata 246. Since the primary server had not yet been updated to that version, it lacked this schema, leading to the startup failure on the backup.
Resolution:
Update the primary server to UCS 5.2-3 errata246 or newer.
Ensure the primary is always at least as up-to-date as — or newer than — the backup and other DCs in the domain to avoid such schema mismatches in the future.