There are a couple of places where univention-ldapsearch is used in joinscripts, but the join-credentials are not passed. On systems other than master and backup the search is performed with machine credentials in this case, which, depending on the ACLs might not give the same results. Maybe these are corner cases, but it would be good to make univention-ldapsearch accept the --binddn/bindpwd/bindpwdfile options and convert them into the equivalent ldapsearch options. The order of the options must be maintained.
Advisory: 2013-12-09-univention-config-registry.yaml
OK - univention-ldap OK - YAML -> univention-ldapsearch -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ --binddn uid=Administrator,cn=users,dc=w2k12,dc=test \ --bindpwd univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ --binddn uid=Administrator,cn=users,dc=w2k12,dc=test \ -w univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ -D uid=Administrator,cn=users,dc=w2k12,dc=test \ -w univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ -D uid=Administrator,cn=users,dc=w2k12,dc=test \ --bindpwd univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ -D uid=Administrator,cn=users,dc=w2k12,dc=test \ --bindpwdfile /tmp/univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator -> univention-ldapsearch \ --binddn uid=Administrator,cn=users,dc=w2k12,dc=test \ --bindpwdfile /tmp/univention \ -LLL uid=Administrator uid dn: uid=Administrator,cn=users,dc=w2k12,dc=test uid: Administrator
http://errata.univention.de/ucs/3.2/23.html