I've run into another quirk during my 2.5 upgrade process. We use the Apache ldap authnz module with a configuration such as: AuthLDAPURL ldaps://ldap.cpp.edu:636/DC=cpp,DC=edu?uid Require ldap-group uid=unxadmin,ou=group,dc=cpp,dc=edu This stopped working when accessing a server updated to 2.5. On the 2.4 server, the Apache logs look like: [Wed Nov 10 15:07:52.056237 2021] [authnz_ldap:debug] [pid 29887] mod_authnz_ldap.c(926): [client 10.104.223.117:51050] AH01714: auth_ldap authorize: require group: testing for member: uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu) [Wed Nov 10 15:07:52.056264 2021] [authnz_ldap:debug] [pid 29887] mod_authnz_ldap.c(935): [client 10.104.223.117:51050] AH01715: auth_ldap authorize: require group: authorization successful (attribute member) [Comparison true (cached)][6 - Compare True] and the slapd logs look like: Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member" Nov 10 15:07:52 ldap-01 slapd[1233]: conn=224154 op=4 RESULT tag=111 err=6 text= Nov 10 15:08:42 ldap-01 slapd[1233]: conn=224154 fd=138 closed (connection lost) whereas on the 2.5 server, the Apache logs look like: [Wed Nov 10 15:03:52.375004 2021] [authnz_ldap:debug] [pid 29088] mod_authnz_ldap.c(926): [client 10.104.223.117:51022] AH01714: auth_ldap authorize: require group: testing for member: uid=henson,ou=user,dc=cpp,dc=edu (uid=unxadmin,ou=group,dc=cpp,dc=edu) [Wed Nov 10 15:03:52.375887 2021] [authnz_ldap:debug] [pid 29088] mod_authnz_ldap.c(945): [client 10.104.223.117:51022] AH01719: auth_ldap authorize: require group "uid=unxadmin,ou=group,dc=cpp,dc=edu": didn't match with attr member [Comparison false (adding to cache)][5 - Compare False] and the slapd logs look like: Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="member" Nov 10 15:03:52 ldap-03 slapd[1197]: conn=208924 op=4 RESULT tag=111 err=5 qtime=0.000011 etime=0.000139 text= If I understand correctly, Apache is making a compare call to check to see if my DN (uid=henson,ou=user,dc=cpp,dc=edu) exists as a value of the member attribute in the group uid=unxadmin,ou=group,dc=cpp,dc=edu. It certainly does, on both the server running 2.4 and 2.5: dn: uid=unxadmin,ou=group,dc=cpp,dc=edu objectClass: groupOfNames objectClass: cppGroup objectClass: posixGroup uid: unxadmin cn: Unix Administrators gidNumber: 17730 member: member: uid=gkuri,ou=user,dc=cpp,dc=edu member: uid=henson,ou=user,dc=cpp,dc=edu memberUid: gkuri memberUid: henson Any thoughts on why this is behaving differently? The configuration should be pretty much identical, modulo required path changes and updating the memberOf handling. I was able to work around it by sitting a couple of additional parameters: AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off This now compares just my uid (henson) to the group memberUid attribute: Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 CMP dn="uid=unxadmin,ou=group,dc=cpp,dc=edu" attr="memberUid" Nov 10 15:24:54 ldap-03 slapd[1197]: conn=210708 op=4 RESULT tag=111 err=6 qtime=0.000016 etime=0.000108 text= Apparently "err=6" is good and "err=5" is not :)? I was able to replicate this difference in behavior using the CLI tools: # ldapcompare -x -H ldaps://ldap-01.ldap.cpp.edu/ uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu TRUE # ldapcompare -x -H ldaps://ldap-03.ldap.cpp.edu/ uid=unxadmin,ou=group,dc=cpp,dc=edu member:uid=henson,ou=user,dc=cpp,dc=edu FALSE ldapsearch confirms that attribute exists for that group in both locations: ldapsearch -x -H ldaps://ldap-01.ldap.cpp.edu/ member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin # unxadmin, group, cpp.edu dn: uid=unxadmin,ou=group,dc=cpp,dc=edu # ldapsearch -x -H ldaps://ldap-03.ldap.cpp.edu/ member=uid=henson,ou=user,dc=cpp,dc=edu dn | grep unxadmin # unxadmin, group, cpp.edu dn: uid=unxadmin,ou=group,dc=cpp,dc=edu Help :)? Thanks much…