Kudos @Pepe
Problem:
univention-s4connector-list-rejected
shows very frequently rejects as follows:
UCS rejected
1: UCS DN: cn=Console Logon,cn=Builtin,dc=domain,dc=intranet
S4 DN: cn=console logon,cn=builtin,DC=domain,DC=intranet
Filename: /var/lib/univention-connector/s4/1532257834.494789
S4 rejected
1: S4 DN: CN=Console Logon,CN=Builtin,DC=domain,DC=intranet
UCS DN: cn=console logon,cn=builtin,dc=domain,dc=intranet
last synced USN: 25042
Removing the reject only helps for a short time and the reject happens again later.
Solution
It appears this group is to be ignored by the connector (see bug) but is not set in the filter rules.
To add and this group as a new entry to the connector/s4/mapping/group/ignorelist
do the following:
ucr set connector/s4/mapping/group/ignorelist="Console Logon, $(ucr get connector/s4/mapping/group/ignorelist)"
systemctl restart univention-s4-connector
You might use UMC to add this entry to the UCS registry, too.