When editing a domain in hosted mode the webadmin sends an invalid set of attributes to the ldap servers and therefore denys changes to a given domain object. The hidden attribute domainrelatedobject_onlygets forwarded to the ldap server:
/var/log/kolab-webadmin/console
[08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Net_LDAP3::modify_entry() using rdn attribute: associateddomain [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Attribute associateddomain unchanged [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Attribute inetdomainstatus changed from 'active' to 'suspended' [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Adding to replace: inetdomainstatus [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Attribute aci unchanged [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Attribute objectclass unchanged [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) Attribute inetdomainbasedn unchanged [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) array ( 'add' => array ( 'domainrelatedobject_only' => 1, ), 'del' => array ( ), 'replace' => array ( 'inetdomainstatus' => array ( 0 => 'suspended', ), ), 'rename' => array ( ), ) [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) C: Mod-Replace associateddomain=example.org,ou=Domains,dc=dotlan,dc=info: {"inetdomainstatus":["suspended"]} [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) S: OK [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) C: Mod-Add associateddomain=example.org,ou=Domains,dc=dotlan,dc=info: {"domainrelatedobject_only":1} [08-Nov-2019 19:38:01 +0100](865jrltn0cks8mpqki6m75a6od): [DEBUG] (api) S: Object class violation
/var/log/dirsrv/slapd-kolab/errors
[08/Nov/2019:13:19:20.459275724 +0100] - ERR - oc_check_allowed_sv - Entry "associateddomain=example.org,ou=Domains,dc=dotlan,dc=info" -- attribute "domainrelatedobject_only" not allowed
The solution is to fix LDAP::domain_edit and strip the attribute from the attributes list (similar to domain_add method)