dkastens@uos.de wrote:
Full_Name: Dirk Kastens Version: 2.4.39 OS: RedHat SL 6.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:638:508:3d0:12a:32c6:740c:8971)
We installed an ldap cluster with a mirrored master and several replicas on RedHat SL 6.5 with openldap 2.4.23-34.el6_5.1.x86_64. Write requests to the replicas are referred to the master server. The chain overlay follows the referral. It connects with the saslmech EXTERNAL to the master. The master maps the DN of the certificate to the replica admin. The replica admin has its authzTo attribute set to the write admin. This way the writing perfectly worked on our replica servers for all admins that are listed in the authzTo attribute. Shortly the machines were updated to SL 6.6 with openldap 2.4.39-8.el6.x86_64. The proxyauth stopped working. Write requests to the replica servers end with the error "ldap_modify: Other (e.g., implementationpepecific) error (80)".
Without debug output from slapd there's no evidence of an OpenLDAP software bug here. Most likely the TLS library changed between your two versions and you're missing a TLS option now.
Regardless, you're using a Red Hat build which contains their own unknown patches to the code. The OpenLDAP Project cannot support these builds since we don't know exactly what they are, but they are known to break OpenLDAP functionality on a routine basis. e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1095976
Ask Red Hat for support on their build. Closing this ITS.