diff --git a/CHANGES b/CHANGES
index 6dbd3338712455fa7634badbf4dec66ed7d7a479..c0367ad762bd5be400cada0d5b94ee828c9966d6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,5 +3,6 @@ OpenLDAP 2.4 Change Log
 OpenLDAP 2.4.6 Engineering
 	Fixed slapd ACL sets memory handling (ITS#4873)
 	Added slapd ACL sets DN ancestors operator (ITS#4860)
+	Fixed slapd ordered values add normalization issue (ITS#5136)
 	Fixed slapd-ldap SASL idassert w/o autchId
 	Fixed slapo-rwm modlist handling (ITS#5124)
diff --git a/servers/slapd/value.c b/servers/slapd/value.c
index f6332eea62055ae5223a06fa6be83dc018822078..ac6ddd3c5372f0d0bd2aef269ac34a48a8cb9d87 100644
--- a/servers/slapd/value.c
+++ b/servers/slapd/value.c
@@ -718,7 +718,21 @@ ordered_value_add(
 	}
 
 	new = ch_malloc( (anum+vnum+1) * sizeof(struct berval));
-	if ( a->a_nvals && a->a_nvals != a->a_vals ) {
+
+	/* sanity check: if normalized modifications come in, either
+	 * no values are present or normalized existing values differ
+	 * from non-normalized; if no normalized modifications come in,
+	 * either no values are present or normalized existing values
+	 * don't differ from non-normalized */
+	if ( nvals != NULL ) {
+		assert( nvals != vals );
+		assert( a->a_nvals == NULL || a->a_nvals != a->a_vals );
+
+	} else {
+		assert( a->a_nvals == NULL || a->a_nvals == a->a_vals );
+	}
+
+	if ( ( a->a_nvals && a->a_nvals != a->a_vals ) || nvals != NULL ) {
 		nnew = ch_malloc( (anum+vnum+1) * sizeof(struct berval));
 		/* Shouldn't happen... */
 		if ( !nvals ) nvals = vals;