Hi all,
In the view of the new openldap release, I ran some tests by using the current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my findings It seems that this build breaks the back_ldap backend when it is used with a remote ldaps:/// server.
In particular, the following snippet of proxy bind configuration, which works on the same system, with the same remote ldaps:/// server / certificate and the 2.4.47 release, fails with the engineering release of 2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap was compiled with the Debian's gnu TLS libs. Based on my previous experience I would have bet that this is a GNU TLS issue, however this seems to be a different case considering that the error happens only with the switch from the 2.4.47 to 2.4.48. Could this be another side effect of the related to ITS#8427 fixes?
dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {2}back_ldap olcModuleLoad: rwm
dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine "on" olcRwmRewrite: rwm-rewriteContext "bindDN" olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),ou=People,dc=acme" "academicID=$1,cn=authn" ":@I"
dn: olcDatabase={3}ldap,cn=config changetype: add objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcAccess: to * by * manage olcSuffix: cn=authn olcRootDN: cn=admin,cn=authn olcRootPW: {SSHA}<REMOVED> olcDbURI: ldaps://remote-authn.acme.foo:636
dn: olcOverlay={0}rwm,olcDatabase={3}ldap,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine "on" olcRwmRewrite: rwm-rewriteContext "bindDN" olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),cn=authn" "academicID=$1,ou=People,dc=acme" ":@I"
The debug output shows the following:
5d32a159 <<< dnPrettyNormal: <academicID=E2Q4KXGLNSPLB25T8TLLT5,ou=People,dc=acme>, <academicID=e2q4kxglnsplb25t8tllt5,ou=people,dc=acme> ldap_create ldap_url_parse_ext(ldaps://remote-authn.acme.foo:636) 5d32a159 =>ldap_back_getconn: conn=1000 op=0: lc=0x7f10ac12abc0 inserted refcnt=1 rc=0 ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP remote-authn.acme.foo:636 ldap_new_socket: 16 ldap_prepare_socket: 16 ldap_connect_to_host: Trying <IP of remote-authn.acme.foo>:636 ldap_pvt_connect: fd: 16 tm: -1 async: 0 attempting to connect: connect success tls_write: want=337, written=337 0000: 16 03 01 01 4c 01 00 01 48 03 03 57 00 4d a5 80 ....L...H..W.M.. 0010: d4 4b 71 8e 08 62 4f 7a b6 a9 4f 20 cd e3 04 9b .Kq..bOz..O .... 0020: 04 91 54 e8 78 9d 20 44 cd bd b3 00 00 3a 13 02 ..T.x. D.....:.. 0030: 13 03 13 01 13 04 c0 2c cc a9 c0 ad c0 0a c0 2b .......,.......+
.... ....
TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). 5d32a169 send_ldap_result: conn=1000 op=0 p=3 5d32a169 send_ldap_result: err=52 matched="" text="Proxy operation retry failed" 5d32a169 send_ldap_response: msgid=1 tag=97 err=52
Best Regards, Nikos