Problem:

Ldap queries for group flattening shows

result: 1 Operations error, text: 00002020: Indexed and full searches both failed!

ucs:~# ldapsearch -ZZ -H ldap://ucs.schein.ig -b dc=schein,dc=ig -x -D cn=auth-proxmox,cn=systemusers,cn=schein,cn=users,dc=schein,dc=ig -w password memberOf:1.2.840.113556.1.4.1941:=cn=service-pve-foo,cn=servicegroups,cn=Groups,dc=schein,dc=ig member


# search result
search: 3   
result: 1 Operations error
text: 00002020: Indexed and full searches both failed!

Investigation

It seems that the user’s read authorization in Samba is too restricted. In particular, he lacks the right to see some group policy objects.
Group policy objects also appear to be necessary to determine the recursive group memberships

Solution:

This is a bug in samba, which is a consequence of the security update Security and bugfix errata for Univention Corporate Server .
When evaluating the ACLs, everything is run through and when it detects that it is not allowed to read something, regardless of whether it should be interested in it or not, it exits with an error.

The Workaround is to set the List Children permission (for authenticated users) on all GPOs again.