Warning K-1504: Unable to retrieve parents for groupmember relation...

  • Hello,

    our server.log frequently shows the warning message
    K-1504: Unable to retrieve parents for groupmember relation 16: uid attribute not found.
    for different relation #.

    Version installed: on SLES 12 SP2.

    Could someone explain the cause for the warning and how to avoid it?



  • Kopano

    Hello @dylan08 ,

    a similar topic was discussed here in this forum before. I gave pointers in https://forum.kopano.io/topic/264/unable-to-retrieve-parents-for-relation-groupmember-uid-attribute-not-found how to resolve it (some more detailed steps are linked in that post).

  • Hello Felix,

    thanks for the hint. I have seen the discussion and checked if something is wrong with my ldap configuration.
    Also have checked my ldap configuration according to https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#testing-ldap-configuration

    Now I have changed logging settings in kopano server.cfg to 6 (Debug). But it seems that the server does not send ldap queries to the log files. I see debug messages but no ldap queries.


  • Kopano

    Hi @dylan08 ,

    from man kopano-server:

           If you run into problems, check the log for any errors. If you made a mistake in the configuration of the log method, this will be reported on standard error. You can also
           restart the server with a higher log level. Also, before starting the server, always make sure the database server is running at the right location and no other server is
           listening on the configured TCP port.
           For extended diagnostics, there are special extended log options available for enhanced debugging capabilities. The parameter log_level has special or-ed values which can be set
           to investigate different modules within the server process:
           SQL: 0x00010000, User backend: 0x00020000, Server cache: 0x00040000, SOAP: 0x00100000, ICS: 0x00200000
           For example, if you are using LDAP as the user plugin, you can set the log_level to 0x00020006 for extended LDAP logging (the last digit 6 enables extended verbose logging). To
           enable SQL and LDAP logging at the same time, set log_level to 0x00030006
           WARNING: The log options create huge amounts of log entries in production environments, this results in abnormal large logfiles which can fill up available disk space very fast.
           Only use this with extreme caution.

    so you need to set the log_level to 0x00020006 to have the ldap queries logged.

  • Hello Felix,

    thank you. Missed to read the man page for kopano-server.
    Hope to find the cause with ldap logging enabled.

  • Hello,

    done a little bit of investing using ldap debugging. Seems the problem is related to the earlier mentioned univention topic.

    Kopano does the following ldap searches:
    ("dc=DOMAIN,dc=TLD" "(&(|(objectClass=posixGroup)(objectClass=kopano-dynamicgroup))(memberUid=USER))" objectClass kopanoSharedStoreOnly kopanoResourceType kopanoSecurityGroup uidNumber gidNumber ou cn cn modifyTimestamp

    Result is one “posixGroup” with some members. Every member has a “memberUID” and a “member” attribute. Say “gidNumber” in the result is 4711.

    Next kopano search for
    ("dc=DOMAIN,dc=TLD" "(&(|(objectClass=posixGroup)(objectClass=kopano-dynamicgroup))(gidNumber=4711))" uid )

    As it is a posixGroup there is no “uid” member present. So ldap search result is empty.
    This LDAP configuration has worked before with zarafa. Warning K-1504 has started after updating to kopano.
    Maybe there is an error in kopano and search result should be the “member” attribute?

  • Kopano

    @dylan08 said in Warning K-1504: Unable to retrieve parents for groupmember relation...:

    Maybe there is an error in kopano and search result should be the “member” attribute?

    you can define which attributes kopano queries from the ldap. you can find the default values in /usr/share/kopano/ldap.openldap.cfg, any modifications to the defaults should be done in the ldap.cfg.

    By default the following values are used:

    # Optional, default = member
    # Active directory: member
    # LDAP: memberUid
    ldap_groupmembers_attribute = memberUid
    # Optional, default = text
    # Active directory: dn
    # LDAP: text
    ldap_groupmembers_attribute_type = text
    # The attribute of the user which is listed in ldap_groupmember_attribute
    # Active directory: empty, matching DNs
    # LDAP: uid, matching users in ldap_loginname_attribute
    ldap_groupmembers_relation_attribute = uid

Log in to reply