The first thing you should know is that a UCS server with Samba is actually running two separate LDAP servers simultaneously:
- An OpenLDAP server on ports 7389 (plain text) and 7636 (encrypted)
- The Samba 4 LDAP server on ports 389 (plain text) and 636 (encrypted)
The OpenLDAP server is always present on a DC Master, even if one doesn’t run Samba. The data in the OpenLDAP server is authoritative. The Univetion tools dealing with all kinds of settings (users, groups, DNS, policies, portal configuration etc.) all query and write to the OpenLDAP server.
In order to ensure that the Samba 4 LDAP contains the same data, there’s a component doing a bidirectional synchronization between both LDAP directories: the Univention Samba 4 connector (or simply the “S4 connector”).
Both LDAP directories use different schemas: the OpenLDAP uses the traditional Unixy POSIX schemas whereas the Samba 4 LDAP uses the Active Directory schema.
And now we can get to your questions:
They’re the same user, but both syntaxes name users in different directories. uid=… is used solely in OpenLDAP whereas cn=username,… is used in Samba 4. Password changes to one of those affect the other because the S4 connector synchronizes the password fields.
You’re most likely connecting to the wrong port, or to be precise: you’re connecting to port 389 or 636 (which is the Samba 4 LDAP), and in the Samba/AD LDAP the users are named cn=….
From the OpenLDAP server.
Note that both the univention-ldapsearch and the plain ldapsearch commands use information from /etc/ldap/ldap.conf in order to determine the host name & port to connect to unless you overwrite those settings from the command line. The default in ldap.conf is port 7389, meaning both commands will search the OpenLDAP server.
If you want to search the Samba 4 LDAP server from the command line instead, use the univention-s4search command which operates almost identically.
Now this is a very good question. Let’s get back to what you wrote at the top:
This is plain wrong. The univention-ldapsearch command, as stated above, should contact the OpenLDAP server instead of the Samba 4 LDAP server. Therefore the syntax cn=administrator should not work but uid=… should. I can think of two possible reasons why this happens:
univention-ldapsearchdoesn’t use port 7389 but 389.- The OpenLDAP server isn’t listening on port 7389 on your server.
Let’s make sure the DC Master’s configuration is correct first. Run the following on your DC Master and post the output here, please:
lsof -aPniTCP:7389 -iTCP:389 -sTCP:LISTEN
iptables -t nat -L -nv
Next take take a look at /etc/ldap/ldap.conf on the server you’re trying to join. Post its content here. Additionally install the strace package on the server to join if it isn’t installed yet, run the next command and post the content of the file connect.txt that’s created by that strace command here:
strace -o connect.txt -f -e connect univention-ldapsearch -s base
That should give us some clues about what’s going on.