The new recyclebin schema is not registered in LDAP. It is put into the core schema. This poses no problem if the primary is updated first as the schema is replicated to all other servers. If a new server should be joined, the join fails because the new schema is not yet available on the primary. The error message of the joinscript is: LDAP Error: Undefined attribute type: univentionRecycleBinPolicyEnabled: attribute type undefined.
i guess it is just this 18python-univention-directory-manager.inst: univention-directory-manager policies/recyclebin create "$@" \ --ignore_exists \ --position "cn=recyclebin,cn=policies,$ldap_base" \ --set name="default-settings" \ --set retention_days="180" \ --set enabled=TRUE \ --append udm_modules="users/user" \ --append udm_modules="groups/group" || die we could just remove this from the join script, no need for default policy
I guess this was a join of an "up-to-date" non-primary system to an "old" primary. We already have a version check in univention-join, but only for patch level. Maybe we need to be more strict here, deny join if my."version/version version/patchlevel version/erratalevel" > primary."version/version version/patchlevel version/erratalevel"?
A workaround for systems which were running into the situation would be either to update the primary and - I hope - it self-repairs. Or alternatively, download and apply the schema manually: wget -O /usr/share/univention-ldap/schema/recyclebin.schema https://github.com/univention/univention-corporate-server/raw/refs/heads/5.2-3/management/univention-ldap/schema/recyclebin.schema sed -e "/print('include *\/usr\/share\/univention-ldap\/schema\/federated_account\.schema')/a\\ print('include /usr/share/univention-ldap/schema/recyclebin.schema')" /etc/univention/templates/files/etc/ldap/slapd.conf.d/10univention-ldap-server_schema ucr commit /etc/ldap/slapd.conf systemctl restart slapd.conf (This requires a errata level where the federated account stuff was added). (After upgrading the system then, univention-check-templates should not mark it as non-modified again). Please somebody verify, if that works.
As far as i understand the problem, it is just this default recycle bin policy that causes the problem. We could just remove the "creation" of this policy from the join script 18python-univention-directory-manager.inst and do another errata update for 5.2-3. @support What do you think?
There might be another problem (unverified theory): We create the default policy in the UDM postinst, if that was executed before slapd was restarted, the schema is not known yet and the default policy not applied. So we have to declare a package dependency from UDM to univention-ldap >= recent_version.
(In reply to Florian Best from comment #5) > There might be another problem (unverified theory): > > We create the default policy in the UDM postinst, if that was executed > before slapd was restarted, the schema is not known yet and the default > policy not applied. > So we have to declare a package dependency from UDM to univention-ldap >= > recent_version. OK, we should remove the default policy completely, fro the postinst and the join script.
FYI from the joinlog we tried the command on commandline to get the full traceback on a school replica /usr/lib/python3/dist-packages/univention/admincli/admin.py policies/recyclebin create --binddn uid=Administrator,cn=users,dc=ucs,dc=schein,dc=me --bindpwdfile /tmp/tmp.Te5AbVvAGq --ignore_exists --position cn=recyclebin,cn=policies,dc=ucs,dc=schein,dc=me --set name=default-settings --set retention_days=180 --set enabled=TRUE --append udm_modules=users/user --append udm_modules=groups/group Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 633, in add return self.lo.add(dn, al, serverctrls=serverctrls, response=response) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/uldap.py", line 166, in _decorated return func(self, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/uldap.py", line 650, in add _rtype, _rdata, _rmsgid, resp_ctrls = self.lo.add_ext_s(dn, nal, serverctrls=serverctrls) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1009, in add_ext_s return self._apply_method_s(SimpleLDAPObject.add_ext_s,*args,**kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 968, in _apply_method_s return func(self,*args,**kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 222, in add_ext_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 543, in result3 resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4( ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 553, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 128, in _ldap_call result = func(*args,**kwargs) ^^^^^^^^^^^^^^^^^^^^ ldap.UNDEFINED_TYPE: {'msgtype': 105, 'msgid': 15, 'result': 17, 'desc': 'Undefined attribute type', 'ctrls': [], 'info': 'univentionRecycleBinPolicyEnabled: attribute type undefined'} During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 374, in main _doit(arglist, stdout=stdout, stderr=stderr) File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 636, in _doit cli.create(input, append, ignore_exists, parsed_options, parsed_append_options, parsed_remove_options, policy_reference) File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 679, in create return self._create(self.module_name, self.module, self.dn, self.lo, self.position, self.superordinate, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 748, in _create dn = object.create() ^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 3838, in create return super().create(serverctrls=serverctrls, response=response) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 610, in create dn = self._create(response=response, serverctrls=serverctrls, ignore_license=ignore_license) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1494, in _create raise exc[1].with_traceback(exc[2]) File "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line 1476, in _create self.lo.authz_connection.add(self.dn, al, serverctrls=serverctrls, response=response, ignore_license=ignore_license) File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 644, in add raise univention.admin.uexceptions.ldapError(_err2str(msg), original_exception=msg) univention.admin.uexceptions.ldapError: LDAP Error: Undefined attribute type: univentionRecycleBinPolicyEnabled: attribute type undefined. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 1128, in <module> main(sys.argv, sys.stdout, sys.stderr) File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line 380, in main raise OperationFailed(msg) OperationFailed: LDAP Error: Undefined attribute type: univentionRecycleBinPolicyEnabled: attribute type undefined.
(In reply to Christina Scheinig from comment #7) > FYI from the joinlog we tried the command on commandline to get the full > traceback on a school replica > > /usr/lib/python3/dist-packages/univention/admincli/admin.py > policies/recyclebin create --binddn > uid=Administrator,cn=users,dc=ucs,dc=schein,dc=me --bindpwdfile > /tmp/tmp.Te5AbVvAGq --ignore_exists --position > cn=recyclebin,cn=policies,dc=ucs,dc=schein,dc=me --set name=default-settings > --set retention_days=180 --set enabled=TRUE --append udm_modules=users/user > --append udm_modules=groups/group > > > Traceback (most recent call last): > File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 633, > in add > return self.lo.add(dn, al, serverctrls=serverctrls, response=response) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/univention/uldap.py", line 166, in > _decorated > return func(self, *args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/univention/uldap.py", line 650, in add > _rtype, _rdata, _rmsgid, resp_ctrls = self.lo.add_ext_s(dn, nal, > serverctrls=serverctrls) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 1009, in > add_ext_s > return self._apply_method_s(SimpleLDAPObject.add_ext_s,*args,**kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 968, in > _apply_method_s > return func(self,*args,**kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 222, in > add_ext_s > resp_type, resp_data, resp_msgid, resp_ctrls = > self.result3(msgid,all=1,timeout=self.timeout) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 543, in > result3 > resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = > self.result4( > > ^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 553, in > result4 > ldap_result = > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls, > add_intermediates,add_extop) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 128, in > _ldap_call > result = func(*args,**kwargs) > ^^^^^^^^^^^^^^^^^^^^ > ldap.UNDEFINED_TYPE: {'msgtype': 105, 'msgid': 15, 'result': 17, 'desc': > 'Undefined attribute type', 'ctrls': [], 'info': > 'univentionRecycleBinPolicyEnabled: attribute type undefined'} > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 374, in main > _doit(arglist, stdout=stdout, stderr=stderr) > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 636, in _doit > cli.create(input, append, ignore_exists, parsed_options, > parsed_append_options, parsed_remove_options, policy_reference) > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 679, in create > return self._create(self.module_name, self.module, self.dn, self.lo, > self.position, self.superordinate, *args, **kwargs) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 748, in _create > dn = object.create() > ^^^^^^^^^^^^^^^ > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line > 3838, in create > return super().create(serverctrls=serverctrls, response=response) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line > 610, in create > dn = self._create(response=response, serverctrls=serverctrls, > ignore_license=ignore_license) > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ^^^^^^^^^^ > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line > 1494, in _create > raise exc[1].with_traceback(exc[2]) > File > "/usr/lib/python3/dist-packages/univention/admin/handlers/__init__.py", line > 1476, in _create > self.lo.authz_connection.add(self.dn, al, serverctrls=serverctrls, > response=response, ignore_license=ignore_license) > File "/usr/lib/python3/dist-packages/univention/admin/uldap.py", line 644, > in add > raise univention.admin.uexceptions.ldapError(_err2str(msg), > original_exception=msg) > univention.admin.uexceptions.ldapError: LDAP Error: Undefined attribute > type: univentionRecycleBinPolicyEnabled: attribute type undefined. > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 1128, in <module> > main(sys.argv, sys.stdout, sys.stderr) > File "/usr/lib/python3/dist-packages/univention/admincli/admin.py", line > 380, in main > raise OperationFailed(msg) > OperationFailed: LDAP Error: Undefined attribute type: > univentionRecycleBinPolicyEnabled: attribute type undefined. Thanks, yes that can't work until the primary knows about the schema. But as already set, this default recycle bin policy is in no way essential Workaround for customer: just remove this UDM call that wants to create the default policy from the join script Possible fix for the product: Remove this UDM call that wants to create the default policy from the join script in UCS 5.2-3
Installed a new Backup DC and couldn't join because of: Configure 18python-univention-directory-manager.inst Thu Dec 11 15:31:08 CET 2025 2025-12-11 15:31:08.783778118+01:00 (in joinscript_init) Object exists: cn=objectFlag,cn=custom attributes,cn=univention,dc=tierheim,dc=intranet Object exists: cn=data,cn=univention,dc=tierheim,dc=intranet Object exists: cn=recyclebin,cn=internal Object exists: cn=recyclebin,cn=policies,dc=tierheim,dc=intranet LDAP Error: Undefined attribute type: univentionRecycleBinPolicyEnabled: attribute type undefined. 18python-univention-directory-manager.inst: The recycle bin policy was created on the Backup server because of 18python-univention-directory-manager.inst from the package univention-directory-manager-tools: root@backup:/usr/lib/univention-install# grep recycle 18python-univention-directory-manager.inst --set name="recyclebin" \ --set description="Container for removed LDAP objects (recyclebin)" || die --set name="recyclebin" \ --set description="Container for recyclebin policies" || die univention-directory-manager policies/recyclebin create "$@" \ --position "cn=recyclebin,cn=policies,$ldap_base" \ root@backup:/usr/lib/univention-install# dpkg -S 18python-univention-directory-manager.inst univention-directory-manager-tools: /usr/lib/univention-install/18python-univention-directory-manager.inst root@backup:/usr/lib/univention-install# apt-cache policy univention-directory-manager-tools univention-directory-manager-tools: Installiert: 17.3.15 Installationskandidat: 17.3.15 Versionstabelle: *** 17.3.15 500 500 https://updates.software-univention.de errata523/main amd64 Packages 100 /var/lib/dpkg/status 17.2.13 500 500 https://updates.software-univention.de ucs523/main amd64 Packages Environment # Primary root@primary:~# univention-app info UCS: 5.2-3 errata291 # Backup root@backup:~# univention-app info UCS: 5.2-3 errata181