Full_Name: Quanah Gibson-Mount Version: 2.4.48 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.128.44)
When converting this basic slapd.conf for back-ldap:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/ppolicy.schema include /usr/local/etc/openldap/schema/misc.schema loglevel 256 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args modulepath /usr/local/libexec/openldap moduleload rwm moduleload back_ldap database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldaps://universe.example.com" suffix "dc=universe,dc=example,dc=com" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute mail proxyAddresses chase-referrals yes idassert-bind bindmethod=simple binddn="cn=ldap_phone,ou=LDAP Access,dc=example,dc=com" credentials='Password1234' tls_cacert=/usr/local/etc/openldap/example_com_Universe_Root_CA.cer
The resulting back-ldap configuration has an invalid olcDbStartTLS attribute:
olcDbStartTLS: none starttls=no
Per the man page, "none" is not valid at all, and also per the man page, since the URI is using ldaps, the value should be:
olcDbStartTLS: ldaps
Config is based off of a real life configuration from an end user, where things worked with slapd.conf but were broken post-conversion to cn=config. Fixing the olcDbStartTLS value to be valid resolved the issue.