On 18 Dec 2024, at 22:59, Quanah Gibson-Mount <quanah@fast-mail.org> wrote:

--On Friday, November 29, 2024 12:37 PM +0100 cyril@stoll.info wrote:

Hi there

Sorry for the long post however I aim to provide as much information as
possible to help pinpoint the issue. Also sorry for any wrong wording as
I am still a bit overwhelmed with OpenLDAP and struggle to understand
everything I need.

From my predecessor I inherited an OpenLDAP 2.4.x cluster running on RHEL
7. My job is to migrate this cluster to OpenLDAP 2.6.x on RHEL 8.
The cluster consists of two provider and four consumer servers.
The old cluster was based on self-compiled original OpenLDAP binaries.
For the new cluster I am using the LTB version of OpenLDAP, currently
with version 2.6.8.
I also switched from HDB to MDB with the new cluster and am using Let's
Encrypt instead of DigiCert certificates and upped the TLS version from
1.0 to 1.2. And for the default password hashing algorhythm I switched
from SSHA to ARGON2.
So there are lots of changes that might potentially influence the meta
databases though I did not see anything that suggests this.

I would remove the shell loglevel from your config since you don't use any shell backends.

Sometimes I'll use slapd in debug mode (-d -1) to get a full dump of everything to dig through.

I noted that you have a duplicate entry for one of the meta backends:

dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config

dn: olcMetaSub={1}uri,olcDatabase={2}meta,cn=config


These appear to have identical configurations, which may be a problem?  The other URIs on a same meta db have different rewrite options, but on the above, they are the same.

--Quanah