When you set the UCS in "membermode" - so when you connect it to a Windows DC - the aforementioned Windows DC takes over the command. It syncs every user in the UCS LDAP (the UCS only reads in this case). So you get every user you create in the AD with password and everything in the LDAP. The search you are trying to do is not allowed for the binduser you are searching with. I give two examples from my testingenvironment:
root@ucs-8007:~# univention-ldapsearch -x -b "dc=hel,dc=underworld" "objectClass=person" -D "cn=tmtt,cn=users,dc=hel,dc=underworld" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
(tmtt is a newly created standard-user)
Now with the proper credentials:
root@ucs-8007:~# univention-ldapsearch -x -b "dc=hel,dc=underworld" "objectClass=person" -D "cn=admin,dc=hel,dc=underworld" -y "/etc/ldap.secret"
# search result
result: 0 Success
# numResponses: 12
# numEntries: 11
So it seems you have a working system, you just need to put it to use. Though you cannot use it as bind vor "ldapsearch" or "univention-ldapsearch" but you should be able to login, etc. with the users.
Here are additional ressources regarding LDAP: