Univention Bugzilla – Bug 48056
By default use port 7389 for univention-ldapsearch
Last modified: 2021-05-14 16:38:02 CEST
When using univention-ldapsearch for simplicity it is obvious we are connecting to UCS, not to some other OpenLDAP servers. Otherwise we would use "ldapsearch" directly. When connecting to a different UCS host with "-h" the default OpenLDAP port 389 is used. Thus, the connection usually fails as there is not the expected OpenLDAP server listening. The port 7389 has to be given with "-p" when -h is used. This behaviour is at least unexpected as the term "univention-*" clearly states I am using some Univention stuff. And for Univention stuff we have the port set to 7389. We should by default use port 7389 instead of 389! Parameter "-p" should work as before, if giving a port it should be used. But if not giving a port, default should be 7389.
univention-ldapsearch doesn't specify a port, as can be seen by running it with "bash -x": ldapsearch -ZZ -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret It uses the URI specified in /etc/ldap/ldap.secret, which specifies the port. The requirement that -p has to be specified along with -h is a requirement of ldapsearch itself. So, you request would mean that univention-ldapsearch should add "-p 7389" if "-h" is given on the command line but "-p" is missing.
Yes, that's what I mean. It is not self-explaining having a tool especially for Univention UCS not regarding the special case of default Univention-LDAP port being 7389.
* The UCS-recommended tool is univention-ldapsearch. * ldapsearch behaves differently and defaults to -p 389 if you use the -h option. * Alternatively -H ldap://$FQDN:7389 can be used. * Putting "PORT" into /etc/ldap/ldap.conf unfortunately doesn't change that behvior. * Since "PORT" is marked as deprecated in man ldap.conf(5) I think it will be hard to convince the upstream project to make ldapsearch consider the PORT parameter as we would like to have it. * So we could patch the source code ourselves to consider PORT in /etc/ldap/ldap.conf and configure that to 7389. * The PO may decide upon the priority.
This issue has been filed against UCS 4.3. UCS 4.3 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.