dkastens(a)uos.de wrote:
Full_Name: Dirk Kastens
Version: 2.4.39
OS: RedHat SL 6.6
URL:
ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (2001:638:508:3d0:12a:32c6:740c:8971)
We installed an ldap cluster with a mirrored master and several replicas on
RedHat SL 6.5 with openldap 2.4.23-34.el6_5.1.x86_64. Write requests to the
replicas are referred to the master server. The chain overlay follows the
referral. It connects with the saslmech EXTERNAL to the master. The master maps
the DN of the certificate to the replica admin. The replica admin has its
authzTo attribute set to the write admin. This way the writing perfectly worked
on our replica servers for all admins that are listed in the authzTo attribute.
Shortly the machines were updated to SL 6.6 with openldap 2.4.39-8.el6.x86_64.
The proxyauth stopped working. Write requests to the replica servers end with
the error
"ldap_modify: Other (e.g., implementationpepecific) error (80)".
Without debug output from slapd there's no evidence of an OpenLDAP
software bug here. Most likely the TLS library changed between your two
versions and you're missing a TLS option now.
Regardless, you're using a Red Hat build which contains their own
unknown patches to the code. The OpenLDAP Project cannot support these
builds since we don't know exactly what they are, but they are known to
break OpenLDAP functionality on a routine basis. e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1095976
Ask Red Hat for support on their build. Closing this ITS.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/