univention.admin.uexceptions.noLock: Could not acquire lock: The attribute 'mailPrimaryAddress' could not get locked

Knowledge Base Supported
1

Problem

univention-ad-connector-list-rejected may show rejects during sync from Active Directory to UCS and /var/log/univention/connector-ad.log may show a traceback like this:

22.10.2025 13:50:08.953 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
22.10.2025 13:50:08.954 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/groups/group.py", line 479, in _ldap_pre_ready
    self.request_lock('mailPrimaryAddress', self['mailAddress'])
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1780, in request_lock
    value = univention.admin.allocators.request(self.lo, self.position, name, value)
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 282, in request
    return acquireUnique(lo, position, type, value, _type2attr[type], scope=_type2scope[type])
  File "/usr/lib/python3/dist-packages/univention/admin/allocators.py", line 250, in acquireUnique
    raise univention.admin.uexceptions.noLock(_('The attribute %r could not get locked.') % (type,))
univention.admin.uexceptions.noLock: Could not acquire lock: The attribute 'mailPrimaryAddress' could not get locked.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1452, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/python3/dist-packages/univention/connector/__init__.py", line 1223, in modify_in_ucs
    res = ucs_object.modify(serverctrls=serverctrls, response=response)
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 690, in modify
    self._ldap_pre_ready()
  File "/usr/lib/python3/dist-packages/univention/admin/handlers/groups/group.py", line 481, in _ldap_pre_ready
    raise univention.admin.uexceptions.mailAddressUsed(self['mailAddress'])
univention.admin.uexceptions.mailAddressUsed: The mail address is already in use: foo@somedomain.net.

Context

In UCS the primary Mail address of a user or group is stored in the single-value LDAP-Attribute mailPrimaryAddress and the Univention Directory Manager requires uniqueness of this attribute. The traceback shows that the AD-Connector attempted to store a value in mailPrimaryAddress (in the case of the example on a group object) that was already assigned to a different user or group.

Active Directory on the other hand uses the attributes proxyAddresses and/or mail. The relationship of these AD attributes changed over time. When Exchange was installed, it used to take care that mail was “in sync” with the primary SMTP: value found in proxyAddresses. But the Active Directory Users and Computers GUI only edits the mail attribute by default and doesn’t keep those attributes in sync. Above that it also doesn’t check for uniqueness of values.

Note: Enabling synchronization of the AD attributes proxyAddresses and mail with the UCS/OpenLDAP attributes mailPrimaryAddress , mailAlternativeAddress and mail is optional in the AD-Connector. This is controlled by a set of UCR variables (connector/ad/mapping/user/primarymail, connector/ad/mapping/group/primarymail, connector/ad/mapping/user/alternativemail, connector/ad/mapping/group/alternativemail, connector/ad/mapping/user/exchange, connector/ad/mapping/group/exchange) (for details see also Bug 43216 and the followup Bug 51647).

Solution

Ensure uniqueness of addresses stored in Active Directory mail attributes (and the SMTP: value in proxyAddresses). Output of commands like the following may be helpful for analysis:

univention-ldapsearch "mailPrimaryAddress=foo@somedomain.net"

and

univention-adsearch "(|(mail=foo@somedomain.net)(proxyAddresses=*foo@somedomain.net))"

Sources