Bug 48056 - By default use port 7389 for univention-ldapsearch
By default use port 7389 for univention-ldapsearch
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.3
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-26 11:47 CEST by Christian Völker
Modified: 2021-05-14 16:38 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2018-10-26 11:47:57 CEST
When using univention-ldapsearch for simplicity it is obvious we are connecting to UCS, not to some other OpenLDAP servers. Otherwise we would use "ldapsearch" directly.

When connecting to a different UCS host with "-h" the default OpenLDAP port 389 is used. Thus, the connection usually fails as there is not the expected OpenLDAP server listening.

The port 7389 has to be given with "-p" when -h is used.

This behaviour is at least unexpected as the term "univention-*" clearly states I am using some Univention stuff. 
And for Univention stuff we have the port set to 7389.


We should by default use port 7389 instead of 389! Parameter "-p" should work as before, if giving a port it should be used. But if not giving a port, default should be 7389.
Comment 1 Arvid Requate univentionstaff 2018-10-29 13:22:15 CET
univention-ldapsearch doesn't specify a port, as can be seen by running it with "bash -x":

ldapsearch -ZZ -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret

It uses the URI specified in /etc/ldap/ldap.secret, which specifies the port.

The requirement that -p has to be specified along with -h is a requirement of ldapsearch itself. So, you request would mean that univention-ldapsearch should add "-p 7389" if "-h" is given on the command line but "-p" is missing.
Comment 2 Christian Völker univentionstaff 2018-10-29 13:27:06 CET
Yes, that's what I mean.

It is not self-explaining having a tool especially for Univention UCS not regarding the special case of default Univention-LDAP port being 7389.
Comment 3 Arvid Requate univentionstaff 2020-06-10 18:52:08 CEST
* The UCS-recommended tool is univention-ldapsearch.
* ldapsearch behaves differently and defaults to -p 389 if you use the -h option.
* Alternatively -H ldap://$FQDN:7389 can be used.
* Putting "PORT" into /etc/ldap/ldap.conf unfortunately doesn't change that behvior.
* Since "PORT" is marked as deprecated in man ldap.conf(5) I think it will be hard
  to convince the upstream project to make ldapsearch consider the PORT parameter
  as we would like to have it.
* So we could patch the source code ourselves to consider PORT in /etc/ldap/ldap.conf
  and configure that to 7389.
* The PO may decide upon the priority.
Comment 4 Ingo Steuwer univentionstaff 2021-05-14 16:38:02 CEST
This issue has been filed against UCS 4.3.

UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.