Univention-s4-connector

Hello, I encountered a problem with s4-connector. It is the synchronization problem of ucs/openldap to samba4. The result returned by univention-s4connector-list-rejected command is as follows. What does the FileName field mean? Is there any related documentation or link? And “Domain Users” is a group:
6eb3732729a43b7ee3b5ebe56941ee1

I have see the link you posted. what confused me is that the command “univention-s4connector-list-rejected” list the DN ever,and now show the path of the Filename.I don’t know the content of the file and how to deal with that

It’s a bit opaque and not well documented. But I’m glad the linked help article exists.

The output shows you which side of the connection between UCS LDAP (slapd) and Samba 4 Active Directory rejected an attempt to sync an object. In your case, the UCS LDAP side rejected several entries as they are in the UCS section under the heading “UCS”. For each object, the output shows you the distinguished names on each side. The filename refers to the LDIF (I guess) file with the necessary data to sync between the two sides.

I neither work for Univention nor have I analyzed the source code of the connector or the list-rejected command so take my words with a grain of salt. The connector compares when two objects have last been changed to when they have last been synced. If the last sync was before the last change it generates an LDIF file (a representation of lightweight directory data and actions) to sync those changes to the side which is outdated. As this can happen on either side you always have a source and a destination – destinations are what you see as sections above. The rejects are rejects by the destination. Your LDIF is supposed to be applied to the destination.

In your case, the objects exist on both sides but this isn’t always true. That’s why there are two DNs for each object: one for UCS’s slapd and the other for Samba 4’s Active Directory. These two DNs should help you compare those objects. You can either use the commands described in the article or use an LDAP browser like Apache Directory Studio. I’d suggest using the shell commands for comparison and ADS to edit the entries accordingly.

The linked article doesn’t help much in the matter of resolving sync conflicts. Most the time I get by by just looking at both entries and deciding to keep one of them. Then I force a resync (as mentioned in the article) originating from the side I want to keep.

image
this is content of the file.I don’t know what kind of format of the file.In your opinion,Can I understand this file is a set of list objects which have been rejected by S4. In my domain,I have about 80000 entries.I don’t think it’s a good way to looking at these objects in two sides and diff them. Does that means I must choose one side (such as Samba4) as Guidelines of these entries ,and then resync them form the side(Guidenlines) to the other one.

Okay, that’s not LDIF but a serialized representation of a … whatever. A Python dict or something like that. I wouldn’t care too much about these files. The important question is which side you want to prioritize and then force a resync from there.

FWIW I don’t think neither LDIF nor this serialized format are good ways to look at this data. That’s why I recommend Apache Directory Studio. But unfortunately it has its limits when it comes to low-level data of the LDAP objects.

OK,I’ll try to resync from S4 to UCS,because in my domain. the modify of data always used RAST,not the UMC.I think S4 is a better choice.