In UCS 5, the OpenLDAP Referential Integrity overlay can be enabled via `ucr set ldap/refint=true` (see #48956).  Some components, such as the OX Connector, even [require it to be enabled](https://docs.software-univention.de/ox-connector-app/latest/installation.html#ucs-domain).

However, the refint overlay is only enabled for the `uniqueMember` attribute.  There are other attributes that could benefit from having referential integrity enabled, such as:

- secretary: This even is the example used in the original feature request.
- univentionAllowedEmailUsers
- ... probably more

The latter one, univentionAllowedEmailUsers, is the one we would currently benefit the most from: We use this attribute to control which users are authorized to send mails to some mailing lists with a large number of recipients (think all-students@example-school.org).  When a user is renamed or moved to another position in the LDAP tree (e.g. moves to another school in a multischool environment), their entry in the mailinglists' univentionAllowedEmailUsers is not updated, and they effectively lose the permission to post to any mailing list with such an ACL.

On our test environment, we added univentionAllowedEmailUsers to refint_attributes by modifying the slapd.conf template, and have found that it's exactly what we're after; the DNs in univentionAllowedEmailUsers are properly updated or removed, and we have so far not observed any undesireable side effects.

Ideally, the set of attributes for which refint is enabled could be configured via UCR.  Barring that, the set of refint attributes should at least be extended to all core Univention LDAP attributes whose values consist of DN foreign keys.