Uwe, helllo.
On 20 Feb 2023, at 13:28, Uwe Sauter wrote:
ldapsearch -x -H 'ldap://<HOST>/dc=example,dc=net' '(cn=foo)'
instead of
ldapsearch -x -H 'ldap:///dc=example,dc=net' '(cn=foo)'
No: the documentation for the -H option says that the SRV-lookup form, with the dc= components, is only tried when the host:port element of the URI is empty.
Looking at the code, the problem does appear to be that common.c:tool_args attempts to break the -H argument into multiple LDAP URIs by separating at commas, as well as spaces. That's the right thing to do to match the first sentence of the ldapsearch(1) documentation of -H, but the second sentence there (the one starting 'As an exception...') doesn't mention a list of SRV names (sensibly, since an SRV record is implicitly a list anyway), so shouldn't, I think, attempt to split the argument.
As the code stands, you have to escape the ',' in order to trick the code into not splitting this argument.
I noted in the OP that there's a mild code change which would make this work as expected.
I'm raise this as a bugreport with suggested fix, since it doesn't sound from this discussion that there's something obvious I'm missing.
Best wishes,
Norman