Problem: UCS@school 5.2 v4 join fails - LDAP Extension 61ucsschool_presettings not activated

Knowledge Base Community
, , , ,
1

Problem:

The join script 70ucs-school-ldap-acls-master.inst fails during the update to UCS@school 5.2 v4. The issue occurs when the join script tries to activate the LDAP extension object 61ucsschool_presettings.

Affected Version

  • Product: UCS@school
  • Version: 5.2v4

Symptoms

During the join process, the following error messages appear in /var/log/univention/join.log:

RUNNING 70ucs-school-ldap-acls-master.inst
2025-09-04 10:22:10.024614571+02:00 (in joinscript_init)
Object exists: cn=ucsschool,cn=groups,dc=univention-linux,dc=lokal
Object exists: (group) The groupname is already in use as groupname or as username: DC-Verwaltungsnetz.
Object exists: (group) The groupname is already in use as groupname or as username: Member-Verwaltungsnetz.
Object exists: (group) The groupname is already in use as groupname or as username: DC-Edukativnetz.
Object exists: (group) The groupname is already in use as groupname or as username: Member-Edukativnetz.
Object exists: cn=ldapacl,cn=univention,dc=univention-linux,dc=lokal
INFO: No change of core data of object 61ucsschool_presettings.
No modification: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=univention-linux,dc=lokal

Waiting for activation of the extension object 61ucsschool_presettings: ......................................................ERROR: Primary Directory Node did not mark the extension object active within 180 seconds.
ERROR
ucs_registerLDAPExtension: registraton of /usr/share/ucs-school-ldap-acls-master/61ucsschool_presettings failed.

Additionally, the /var/log/univention/listener.log contains:

04.09.25 10:22:14.227  LDAP        ( PROCESS ) : connecting to ldap://server.univention-linux.lokal:7389
04.09.25 10:22:14.231  LISTENER    ( PROCESS ) : updating 'cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=univention-linux,dc=lokal' command m
04.09.25 10:22:14.232  LISTENER    ( PROCESS ) : ldap_extension: cn=61ucsschool_presettings,cn=ldapacl,cn=univention,dc=univention-linux,dc=lokal active? [b'FALSE']
Multifile: /etc/ldap/slapd.conf
04.09.25 10:22:21.556  LISTENER    ( ERROR   ) : ldap_extension: slapd.conf validation failed:
overlay "refint" not found
slaptest: bad configuration file!
.
04.09.25 10:22:21.655  LISTENER    ( ERROR   ) : ldap_extension: Removing new file /etc/univention/templates/files/etc/ldap/slapd.conf.d/61ucsschool_presettings.
04.09.25 10:22:21.655  LISTENER    ( ERROR   ) : ldap_extension: Restoring previous file /etc/univention/templates/files/etc/ldap/slapd.conf.d/61ucsschool_presettings.
04.09.25 10:22:21.655  LISTENER    ( ERROR   ) : ldap_extension: Restoring previous backlink file /etc/univention/templates/files/etc/ldap/slapd.conf.d/61ucsschool_presettings.info.
04.09.25 10:22:21.655  LISTENER    ( ERROR   ) : ldap_extension: Restoring previous UCR info file /etc/univention/templates/info/ldapacl_61ucsschool_presettings.info.
Multifile: /etc/ldap/slapd.conf

As a result, the join script does not complete successfully.

Root Cause:

On systems that were originally installed with UCS 4.4 or earlier, the UCR variable ldap/refint may still be set to false. Starting with UCS 5.0, the default value for this variable was changed to true.

If the variable remains set to false, the required refint overlay is not enabled, which causes the LDAP extension activation to fail.

This behavior is documented in Bug 58585.

Fixed: 2. Changelog — UCS@school - 5.2v4 Changelog

Solution:

Set the UCR variable ldap/refint to true on the DC Master:

ucr info ldap/refint
ldap/refint: true
 Whether or not the refint overlay should be enabled. It enforces referential integrity for the attribute uniqueMember. Only applies to the DC Master.
 Categories: service-ldap
 Default: true
 Type: bool
  • ucr set ldap/refint=true

After setting the variable, re-run the join script:

  • univention-run-join-scripts --run-scripts 70ucs-school-ldap-acls-master.inst