Problem: The diagnostic tool shows inconsistencies between class/working group memberships

Problem:

The diagnostic tool shows

UCS@school: test for inconsistencies between class/working group memberships and school memberships.
The following problems were found:
uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me - uid=cscheini, cn=schueler,cn=users,ou=sun,dc=schein,dc=me is not part of the school but in set([‘sun’])

image

Investigation:

Search the attributes of the user:

root@master:~# univention-ldapsearch -LLL uid=cscheini univentionObjectType ucsschoolSchool ucsschoolRole
dn: uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
univentionObjectType: users/user
ucsschoolSchool: moon
ucsschoolSchool: sun
ucsschoolRole: student:school:sun

The ucsschoolRole for school moon is missing here or the
ucsschoolSchool attribute is too much, maybe mistakenly added.

Solution:

Remove the ucsschoolSchool attribute or add the ucsschoolRole student:school:moon

ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
changetype: modify
add: ucsschoolRole
ucsschoolRole: student:school:moon
EOR

— or —

ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: uid=cscheini,cn=schueler,cn=users,ou=sun,dc=schein,dc=me
changetype: modify
delete: ucsschoolSchool
ucsschoolSchool: moon
EOR