You find a traceback like this on a school slave in the /var/log/univention/connector-s4.log
04.01.2019 10:39:42,517 LDAP (PROCESS): sync to ucs: [ user] [ modify] uid=staff,cn=users,dc=schein,dc=ig 04.01.2019 10:39:42,774 LDAP (ERROR ): Unknown Exception during sync_to_ucs 04.01.2019 10:39:42,775 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1626, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.7/univention/s4connector/__init__.py", line 1377, in modify_in_ucs res = ucs_object.modify(serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/users/user.py", line 1669, in modify return super(object, self).modify(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 583, in modify dn = self._modify(modify_childs, ignore_license=ignore_license, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 1222, in _modify self.lo.modify(self.dn, ml, ignore_license=ignore_license, serverctrls=serverctrls, response=response) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 823, in modify raise univention.admin.uexceptions.permissionDenied permissionDenied
This can happen to global users as staff members.
In school environments the changes of objects within an OU are written back to the master. Objects outside the OU cannot be written back restricted by ldap acls.
Therfore the permissionDenied occurs.
In this special case the user was created long before 4.3 and some “new” attributes served with 4.3 were not saved.
The following empty properties have been set to default values. The values are applied when saving. Account - Deactivation - Account is deactivated: false [Advanced Settings] - Mail - E-mail Quota (MB): 0
After saving these default values, the reject has dissolved.
Note: To make sure all objects have their default values check this article.