Problem: S4 Connector Rejects with "Can not modify lock time of"


You notice rejects in your environment with univention-s4connector-list-rejected

UCS rejected

S4 rejected

    1:    S4 DN: CN=dns-slave,CN=Users,DC=multi,DC=ucs
         UCS DN: <not found>

	last synced USN: 138427


When checking the related logfile /var/log/univention/connector-s4.log you will see related tracebacks:

18.02.2020 09:18:37.234 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/univention/admin/", line 101, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.


The cn=temporary points to an object which is created by UCS and will be removed once the original object has been created properly.
To fix you should:

  • delete the temporary object on the master:
    ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" "cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs" -y /etc/ldap.secret
  • restart univention-s4-connector:
    systemctl restart univention-s4-connector
  • trigger a resync for the original object (you might need to do a ldapsearch before to identify the correct dn):
    /usr/share/univention-s4-connector/ "cn=dns-slave,cn=uid,cn=univention,dc=multi,dc=ucs"