Hello,
just in case someone is still looking on this, I stumbled on the same issue when upgrading openldap from an old version (2.4.2x) to 2.4.40. Used first a debian package, then compiled it myself, same behaviour.
However, I managed to make it work by setting explicitly the "override" flag in the chain-idassert-bind parameters ( I'm not sure it's the right way to fix this "issue"):
chain-idassert-authzFrom "dn:*" chain-idassert-bind bindmethod=sasl saslmech="EXTERNAL" mode=self flags=override,proxy-authz-critical starttls=critical tls_cacert=/etc/ldap/ssl/CA.pem tls_key=/etc/ldap/ssl/private/key.pem tls_cert=/etc/ldap/ssl/proxy.pem tls_reqcert=demand
For those who like the cn=config syntax better:
olcDbIDAssertBind: mode=self flags=flags=prescriptive,override,proxy-authz-critical bindmethod=sasl timeout=0 network-timeout=0 saslmech=EXTERNAL keepalive=0:0:0 starttls=critical tls_cert="/opt/SNet/etc/ldap/ssl/proxy.pem" tls_key="/opt/SNet/etc/ldap/ssl/private/key.pem" tls_cacert="/opt/SNet/etc/ldap/ssl/CA.pem" tls_reqcert=demand
Note: Previous to that, the flags were NOT set explicitly, so the following default values were used:
olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindmethod=sasl timeout=0 network-timeout=0 saslmech=EXTERNAL keepalive=0:0:0 starttls=critical tls_cert="/opt/SNet/etc/ldap/ssl/proxy.pem" tls_key="/opt/SNet/etc/ldap/ssl/private/key.pem" tls_cacert="/opt/SNet/etc/ldap/ssl/CA.pem" tls_reqcert=demand