I'll have to see if I can track down stderr when this happens. Here is the configuration on that host:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/custom.schema include /etc/openldap/schema/ldapux.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/puppet.schema
TLSVerifyClient never TLSCertificateFile /etc/openldap/slapd.pem TLSCertificateKeyFile /etc/openldap/slapd.pem TLSCACertificateFile /etc/openldap/ca.pem
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args loglevel sync
reverse-lookup on
# old ACLs include /etc/openldap/legacy.acl
# new ACLs include /etc/openldap/new.acl
# Allow anonymous access to userPassword for directory binds access to dn.onelevel="ou=users,dc=example2,dc=net" attrs="userPassword" by anonymous auth by self read by * none
# Secure unix passwords access to dn.onelevel="ou=users,ou=posix,dc=example2,dc=net" attrs="userPassword" by self read by * none
# Secure unix passwords # legacy access to dn.onelevel="ou=people,dc=example,dc=com" attrs="userPassword" by self read by * none
access to dn.onelevel="ou=people,dc=example2,dc=net" attrs="userPassword" by self read by * none
# posix info is public access to dn.subtree="ou=posix,dc=example2,dc=net" by * read
# posix info is public # legacy access to dn.subtree="ou=people,dc=example,dc=com" by * read
access to dn.subtree="ou=people,dc=example2,dc=net" by * read
access to dn.subtree="ou=group,dc=example2,dc=net" by * read
# access to the base dn access to dn.base="dc=example2,dc=net" by * read
# access to the base dn # legacy access to dn.base="dc=example,dc=com" by * none
# basic access # legacy access to dn.subtree="dc=example,dc=com" by * none
# basic access access to * by users read by * none
database hdb suffix "dc=example2,dc=net" rootdn "cn=manager,dc=example2,dc=net" rootpw password index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givenname eq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq index entryUUID,modifyTimestamp eq index location eq index service subinitial index uniqueMember eq directory /var/lib/ldap sizelimit unlimited cachesize 1000000 idlcachesize 3000000
overlay ppolicy ppolicy_default cn=default,ou=ppolicy,dc=example2,dc=net
syncrepl rid=1 provider=ldap://syncrepl.example2.net:389 type=refreshAndPersist searchbase="dc=example2,dc=net" bindmethod=simple binddn=user=sync-user,ou=users,dc=example2,dc=net starttls=critical credentials=password retry="10 100 300 +"
database relay suffix "dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=example,dc=com" "dc=example2,dc=net" overlay ppolicy ppolicy_default cn=default,ou=ppolicy,dc=example2,dc=net