Problem: S4 Connector Rejects with "Can not modify lock time of"

Problem

You notice rejects in your environment with univention-s4connector-list-rejected

UCS rejected


S4 rejected

    1:    S4 DN: CN=dns-slave,CN=Users,DC=multi,DC=ucs
         UCS DN: <not found>

	last synced USN: 138427

Environment

When checking the related logfile /var/log/univention/connector-s4.log you will see related tracebacks:

18.02.2020 09:18:37.234 LDAP        (ERROR  ): Traceback (most recent call last):
[...]
  File "/usr/lib/python2.7/dist-packages/univention/admin/locking.py", line 101, in lock
    raise univention.admin.uexceptions.permissionDenied(_('Can not modify lock time of %r.') % (dn,))
permissionDenied: Can not modify lock time of u'cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs'.

Solution

The cn=temporary points to an object which is created by UCS and will be removed once the original object has been created properly.
To fix you should:

  • delete the temporary object on the master:
    ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" "cn=dns-slave,cn=uid,cn=temporary,cn=univention,dc=multi,dc=ucs" -y /etc/ldap.secret
  • restart univention-s4-connector:
    systemctl restart univention-s4-connector
  • trigger a resync for the original object (you might need to do a ldapsearch before to identify the correct dn):
    /usr/share/univention-s4-connector/resync_object_from_s4.py "cn=dns-slave,cn=uid,cn=univention,dc=multi,dc=ucs"