in a UCS system there are two LDAP servers: the one where you create objects in via the UMC (OpenLDAP) and the one provided by Samba. There’s a bi-directional sync between both. Both use slightly different LDAP schemes, and therefore the objects are named slightly differently.
The Samba LDAP is running on ports 389 & 636 and uses
cn=… for user objects. The OpenLDAP server runs on ports 7389 & 7636 and uses
uid=… for naming user objects. The Samba LDAP server is generally better to work with if you need to evaluate group membership.
You can use the command
univention-ldapsearch for searching the OpenLDAP server and
univention-s4search for searching the Samba LDAP server if you’re unsure what your object’s named.