Problem: Memberserver - univention.admin.uexceptions.permissionDenied


You can’t install an app from the Appcenter on your memberserver/Managed-Node
If you find this traceback in /var/log/univention/appcenter.log

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 226, in call_with_namespace
    result = self.main(namespace)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 84, in main
    return self.do_it(args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 119, in do_it
    self._do_it(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 63, in _do_it
    ret = super(Install, self)._do_it(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 104, in _do_it
    self._register_app(app, args)
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/actions/", line 432, in _register_app
  File "/usr/lib/python2.7/dist-packages/univention/appcenter/", line 245, in add_localhost
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/", line 642, in modify
    dn = self._modify(modify_childs, ignore_license=ignore_license, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/", line 1312, in _modify
    self.dn = self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response)
  File "/usr/lib/pymodules/python2.7/univention/admin/", line 891, in modify
    raise univention.admin.uexceptions.permissionDenied


You may notice the permissionDenied
This shows, that the memberserver/Managed-Node don´t have the permission to register or install the Appsettings on the DC-Master/Primary Node.

You should check the location from this Object and it have to be in:

cn=memberserver,cn=computers,$ldap_base or

univention-ldapsearch cn=<memberservername> dn

see also

Solution for Microsoft AD

If the Managed Node system is located in a Microsoft AD (Memberserver - samba-memberserver), it probably cannot be changed in the LDAP directory because the AD system is the leading system.

The other reason why the object cannot be managed via LDAP is that the following attribute is set on the member server.

univention-ldapsearch cn=ucs5managed '+' '*' |  grep univentionObject
univentionObjectFlag: synced 

Get the dn from the object

univention-ldapsearch cn=ucs5managed | grep dn
dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org

To remove the attribute so that the managed node can be moved, you can create an ldif like:

dn: cn=ucs5managed,ou=test,ou=test-2,dc=example-ad,dc=org
changetype: modify
delete: univentionObjectFlag
univentionObjectFlag: synced

And use this command to modify the object:

ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f 1.ldif

Now you can change the position from the Managed Node to the correct position in the UMC / LDAP directory


To set the setting to default and attach the attribute to the object, an ldif can be used again.

dn: cn=ucs5managed,cn=memberserver,cn=computers,dc=example-ad,dc=org
changetype: modify
add: univentionObjectFlag
univentionObjectFlag: synced

Again to modify the object.

ldapmodify -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f 2.ldif
1 Like