Note:
This description reflects the resolution of a specific error case. Similar symptoms may have different root causes, and the steps below might not be applicable in every situation.
Problem:
During attempts to enable schools for synchronization with the ID Broker, the verification process consistently failed.
-
The schools were enabled with:
univention-app shell ucsschool-id-connector \ /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/plugins/packages/idbroker/manage_schools_to_sync.py \ add_schools --school_authority $NAMESPACEID <ou1> <ou2> <ou3> -
Verification of users from the affected schools failed, e.g.:
univention-app shell ucsschool-id-connector \ /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/plugins/packages/idbroker/verify.py \ users -a $NAMESPACEID "uid=schueler-xy"→
FAIL User NOT FOUND on ID Broker server
Additionally, the output directory /var/lib/univention-appcenter/apps/ucsschool-id-connector/data/out_queues/$NAMESPACEID/contained a very large number of *_ready.json files (around 95,000), indicating that processing had stalled or not completed correctly.
Solution:
In this case, it was discovered that the connector was still operating in initial sync mode.
This can be confirmed with:
grep initial /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/school_authorities/$NAMESPACEID.json
"initial_import_mode": true,
According to the documentation, during the initial synchronization the service
univention-appcenter-listener-converter@ucsschool-id-connector.service
should not be running, as the connector operates in a special mode.
Steps taken in this case:
-
Wait until the synchronization process has finished.
-
Stop the listener converter service:
systemctl stop univention-appcenter-listener-converter@ucsschool-id-connector.service -
Check and, if needed, set the parameter in
/var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/school_authorities/$NAMESPACEID.json
tofalse:"initial_import_mode": false -
Restart the connector container:
systemctl restart ucsschool-id-connector_Container.service -
Verify that
"initial_import_mode"remainsfalse.-
If it reverts to
true, further investigation is needed. -
If it stays
false, start the listener converter service again:systemctl start univention-appcenter-listener-converter@ucsschool-id-connector.service
-
Once the connector is no longer in initial sync mode, schools can be synced (or re-synced) with:
univention-app shell ucsschool-id-connector
cd /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/plugins/packages/idbroker/
./manage_schools_to_sync.py add_schools --school_authority $NAMESPACEID --initial_sync false ou1
Important: The --initial_sync false flag is crucial in this step.