Hi all,

In the view of the new openldap release, I ran some tests by using the current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my findings It seems that this build breaks the back_ldap backend when it is used with a remote ldaps:/// server.

In particular, the following snippet of proxy bind configuration, which works on the same system, with the same remote ldaps:/// server / certificate and the 2.4.47 release, fails with the engineering release of 2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap was compiled with the Debian's gnu TLS libs. Based on my previous experience I would have bet that this is a GNU TLS issue, however this seems to be a different case considering that the error happens only with the switch from the 2.4.47 to 2.4.48. Could this be another side effect of the related to ITS#8427 fixes?

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {2}back_ldap
olcModuleLoad: rwm

dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),ou=People,dc=acme" "academicID=$1,cn=authn" ":@I"

dn: olcDatabase={3}ldap,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcAccess: to * by * manage
olcSuffix: cn=authn
olcRootDN: cn=admin,cn=authn
olcRootPW: {SSHA}<REMOVED>
olcDbURI: ldaps://remote-authn.acme.foo:636

dn: olcOverlay={0}rwm,olcDatabase={3}ldap,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),cn=authn" "academicID=$1,ou=People,dc=acme" ":@I"

The debug output shows the following:

5d32a159 <<< dnPrettyNormal: <academicID=E2Q4KXGLNSPLB25T8TLLT5,ou=People,dc=acme>, <academicID=e2q4kxglnsplb25t8tllt5,ou=people,dc=acme>
ldap_create
ldap_url_parse_ext(ldaps://remote-authn.acme.foo:636)
5d32a159 =>ldap_back_getconn: conn=1000 op=0: lc=0x7f10ac12abc0 inserted refcnt=1 rc=0
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP remote-authn.acme.foo:636
ldap_new_socket: 16
ldap_prepare_socket: 16
ldap_connect_to_host: Trying <IP of remote-authn.acme.foo>:636
ldap_pvt_connect: fd: 16 tm: -1 async: 0
attempting to connect:
connect success
tls_write: want=337, written=337

0000: 16 03 01 01 4c 01 00 01 48 03 03 57 00 4d a5 80 ....L...H..W.M..
0010: d4 4b 71 8e 08 62 4f 7a b6 a9 4f 20 cd e3 04 9b .Kq..bOz..O ....
0020: 04 91 54 e8 78 9d 20 44 cd bd b3 00 00 3a 13 02 ..T.x. D.....:..
0030: 13 03 13 01 13 04 c0 2c cc a9 c0 ad c0 0a c0 2b .......,.......+

....

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
5d32a169 send_ldap_result: conn=1000 op=0 p=3
5d32a169 send_ldap_result: err=52 matched="" text="Proxy operation retry failed"
5d32a169 send_ldap_response: msgid=1 tag=97 err=52

Best Regards,

Nikos