Description Daniel Tröder 2020-09-24 09:49:54 CEST

The join script API is inconsistent in that way:
* On replication and managed nodes the univention-run-join-scripts adds "--binddn BINDDN --bindpwdfile BINDPWDFILE" to the arguments in "$@" which are forwarded to all software using the LDAP when called in join scripts.
* On primary and backup nodes the user can retrieve the credentials herself, so univention-run-join-scripts does _not_ add those to the join scripts args. All software called with "$@" has to be aware of that.

This has led to a lot of lost development hours by (also experienced) Univention developers getting surprised by this unexpected API behavior. It has furthermore lead to hundreds of Python and shell scripts implementing all the same forumla: "if role in (master, backup) read secret-file, else use arguments passed".

The joinscript api should be consistent: it should supply binddn and bindpwdfile on all nodes.