troubles with automatic chaining

[alamar <aboudani@genoscope.cns.fr>]

Hello,

I'm trying to use slapo-chain to do automatic chaining on the slave..
I see the howto about this, I think my configuration is correct, but is 
doesn't work all times!!
I have a strange problem..It work correctly for some times, but if 
modify my configuration for otherthing, example to add ppolicy and 
restart the servers, it stop working
Even if I delete the last modification, I can't get it working again..
For some reasons that I ignore, the slave some time send the correct 
bind, for other time, it bind to the master anonymously!!
In this last case, I have error:

To password change : LDAP password information update failed: Proxy 
Authorization Failure
To do ldapmodify:  ldap_modify: Strong(er) authentication required (8)

If I comment security parameter in the master, I doesn't change anything..

My setup:
- version 2.3.38
- 1 master
- 2 slaves as replicas  using syncrepl and authenticate to the master by 
sasl external

In the master, I have added this entries:
--------------------------------------------------------------
dn: cn=referral1,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral1
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$

dn: cn=referral2,ou=system,dc=example,dc=com
objectClass: organizationalRole
cn: referral2
ou: system
authzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
--------------------------------------------------------------
--------------------
Master config:
------------------
moduleload       back_ldap.la
moduleload      ppolicy.la
moduleload      syncprov.la
moduleload      unique.la
moduleload      accesslog.la
moduleload      auditlog.la
moduleload     lastmod.la
##
TLSCertificateFile      /etc/ssl/openldap2.3/master.crt
TLSCertificateKeyFile   /etc/ssl/openldap2.3/private/master.key
TLSCACertificateFile    /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient  allow
##
sasl-secprops none
# logging
loglevel 256
security ssf=1 update_ssf=112 simple_bind=64
##
authz-policy    to
authz-regexp   cn=slave1
      cn=referral1,ou=system,dc=example,dc=com
authz-regexp   cn=slave2
      cn=referral2,ou=system,dc=example,dc=com
####
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,ou=system,dc=example,dc=com"
rootpw          toto

directory       /usr/local/ldap
mode    0600
#
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
##
lastmod on
cachesize 2000
checkpoint 256 5
#
index   objectClass                                             eq
index   cn,mail,surname,givenname                               
eq,subinitial
index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq
index   uid                                                     
eq,subinitial
index  entryCSN,entryUUID                                      eq
##
limits dn.onelevel="ou=system,dc=example,dc=com"
size=unlimited
time=unlimited
limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited

limits dn.regex="cn=slave1.example.com"
size=unlimited
time=unlimited



------------------------------
Slave1 Config
-----------------------------

moduleload       back_ldap.la
moduleload      accesslog.la
moduleload      auditlog.la
moduleload      unique.la
moduleload     lastmod.la
#
TLSCertificateFile      /etc/ssl/openldap2.3/slave1.crt
TLSCertificateKeyFile   /etc/ssl/openldap2.3/private/slave1.key
TLSCACertificateFile    /etc/ssl/openldap2.3/CA.crt
TLSVerifyClient allow
sasl-secprops none
loglevel 256
security ssf=0 update_ssf=156 simple_bind=64
##chasing referrals
overlay         chain
chain-uri       ldap://master.example.com
chain-idassert-bind    bindmethod=sasl
      saslmech="EXTERNAL"
      binddn="cn=bugworkaround"
      mode="self"
      starttls="critical"
      min_ssf="163"
chain-tls      start
chain-return-error         TRUE
#chain-idassert-authzFrom "*"
#
database        bdb
suffix          "dc=example,dc=com"
##
rootdn          "cn=admin,ou=system,dc=example,dc=com"
rootpw          secret
directory       /env/database/ldap
lastmod off
checkpoint 256 5
index   objectClass                                             eq
index   cn,mail,surname,givenname                               
eq,subinitial
index   uidNumber,gidNumber,memberuid,member,uniqueMember       eq
index   uid                                                     
eq,subinitial
index  entryCSN,entryUUID                                      eq
#
limits dn.onelevel="ou=system,dc=example,dc=com"
      size=unlimited
      time=unlimited
#
syncrepl rid=23
      provider=ldap://master.example.com
      type=refreshAndPersist
      retry=3,1,10,2,60,+
      searchbase="dc=example,dc=com"
      filter="(objectClass=*)"
      attrs="*"
      scope=sub
     schemachecking=off
      bindmethod=sasl
      saslmech=EXTERNAL
      starttls=critical
##
updateref       "ldap://master.example.com";

                                                                



Any help will be appreciated...