The Univention S4 Connector synchronizes objects between the UCS management system and the Samba 4 Active Directory service. Due to technical restrictions, it is not always possible to set every attribute in one operation, for example while creating a user in Samba 4 Active Directory. This needs to be done in two or more steps. To ensure these two steps are not interrupted, the S4 Connector uses a locking database. In case an error occurred, the S4 connector might reject an object with the following message:
from connector-s4.log
29.02.2017 06:26:34,282 LDAP (PROCESS): sync from ucs: Resync rejected file: /var/lib/univention-connector/s4/1484053706.869078
29.01.2017 06:26:34,283 LDAP (PROCESS): sync from ucs: [ user] [ modify] CN=testuser,CN=Users,DC=univention,DC=intranet
29.01.2017 06:26:34,285 LDAP (PROCESS): Unable to sync CN=testuser,CN=Uers,DC=univention,DC=intranet (GUID: 487f3cb8-7cc0-4919-b132-771300a5bf91). The object is currently locked.
In this case, the objects have to be checked. The easiest way is to search via the command line tools ‘univention-ldapsearch’ and ‘univention-s4search’. If it looks like a complete synchronization, the locking object can be remove
This can be done with the following steps:
- The S4 connector must first be stopped:
# /etc/init.d/univention-s4-connector stop
- Back up the original table,
# cp /etc/univention/connector/lockingdb.sqlite /etc/univention/connector/lockingdb.sqlite_$(date -Is)
- And then delete the contents of S4_LOCK table
# sqlite3 /etc/univention/connector/lockingdb.sqlite
sqlite> SELECT * FROM S4_LOCK;
sqlite> DELETE FROM S4_LOCK;
sqlite> SELECT COUNT(*) FROM S4_LOCK;
sqlite> .exit
- The S4 connector is then restarted
# /etc/init.d/univention-s4-connector start
- After restarting the service, the S4-Connector replication status can be checked using the command below:
univention-s4connector-list-rejected
In case the reject isn’t resolved afterwards, the log file
/var/log/univention/connector-s4.log
has to be checked.