On Fri, 2008-10-31 at 16:32 -0400, Steve Thompson wrote: > CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and > x86_64. > > LDAP password information update failed: Referral > > If I comment out "ssl start_tls", the referral to the master is followed > and the password change operation succeeds. I've found references to > problems with earlier releases of pam_ldap when referrals were not > properly followed when using TLS, and these are supposed to be fixed; > apparently not in my case. Can anyone hit me with the clue stick? Does the common name in the certificate or the x509 v3 extensions match the hostname used in the referral in your slapd.conf? Is the certificate issued by the ldap server you are being referred to signed by a trusted CA? Following referrals using start_tls works just fine for me.