Problem
You notice rejects in your environment with univention-s4connector-list-rejected
UCS rejected
S4 rejected
1: S4 DN: CN=dns-slave,CN=Users,DC=multi,DC=ucs
UCS DN: <not found>
last synced USN: 138427
Environment
When checking the related logfile /var/log/univention/connector-s4.log you will see related tracebacks:
18.02.2020 09:18:37.234 LDAP (ERROR ): Traceback (most recent call last):
[...]
File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line 101, in lock
raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.
Solution
The cn=temporary points to an object which is created by UCS and will be removed once the original object has been created properly.
To fix you should:
- delete the temporary object on the master:
ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" "cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs" -y /etc/ldap.secret - restart univention-s4-connector:
systemctl restart univention-s4-connector - trigger a resync for the original object (you might need to do a
ldapsearchbefore to identify the correct dn):
/usr/share/univention-s4-connector/resync_object_from_s4.py "cn=dns-slave,cn=uid,cn=univention,dc=multi,dc=ucs"