Hi all,

In the view of the new openldap release, I ran some tests by using the
current snapshot of the OPENLDAP_REL_ENG_2_4_48 tree and based on my
findings It seems that this build breaks the back_ldap backend when it is
used with a remote ldaps:/// server.

In particular, the following snippet of proxy bind configuration, which
works on the same system, with the same remote ldaps:/// server /
certificate and the 2.4.47 release, fails with the engineering release of
2.4.48. The testing environment was a Debian (Stable/Buster) and Openldap
was compiled with the Debian's gnu TLS libs. Based on my previous
experience I would have bet that this is a GNU TLS issue, however this
seems to be a different case considering that the error happens only with
the switch from the 2.4.47 to 2.4.48. Could this be another side effect of
the related to ITS#8427 fixes?

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {2}back_ldap
olcModuleLoad: rwm

dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),ou=People,dc=acme"
"academicID=$1,cn=authn" ":@I"

dn: olcDatabase={3}ldap,cn=config
changetype: add
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcAccess: to * by * manage
olcSuffix: cn=authn
olcRootDN: cn=admin,cn=authn
olcRootPW: {SSHA}<REMOVED>
olcDbURI: ldaps://remote-authn.acme.foo:636

dn: olcOverlay={0}rwm,olcDatabase={3}ldap,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^academicID=([^,]+),cn=authn"
"academicID=$1,ou=People,dc=acme" ":@I"

The debug output shows the following:

5d32a159 <<< dnPrettyNormal:
<academicID=E2Q4KXGLNSPLB25T8TLLT5,ou=People,dc=acme>,
<academicID=e2q4kxglnsplb25t8tllt5,ou=people,dc=acme>
ldap_create
ldap_url_parse_ext(ldaps://remote-authn.acme.foo:636)
5d32a159 =>ldap_back_getconn: conn=1000 op=0: lc=0x7f10ac12abc0 inserted
refcnt=1 rc=0
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP remote-authn.acme.foo:636
ldap_new_socket: 16
ldap_prepare_socket: 16
ldap_connect_to_host: Trying <IP of remote-authn.acme.foo>:636
ldap_pvt_connect: fd: 16 tm: -1 async: 0
attempting to connect:
connect success
tls_write: want=337, written=337
  0000:  16 03 01 01 4c 01 00 01  48 03 03 57 00 4d a5 80
....L...H..W.M..
  0010:  d4 4b 71 8e 08 62 4f 7a  b6 a9 4f 20 cd e3 04 9b   .Kq..bOz..O
....
  0020:  04 91 54 e8 78 9d 20 44  cd bd b3 00 00 3a 13 02   ..T.x.
D.....:..
  0030:  13 03 13 01 13 04 c0 2c  cc a9 c0 ad c0 0a c0 2b
.......,.......+

....
....

TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
5d32a169 send_ldap_result: conn=1000 op=0 p=3
5d32a169 send_ldap_result: err=52 matched="" text="Proxy operation retry
failed"
5d32a169 send_ldap_response: msgid=1 tag=97 err=52


Best Regards,
Nikos

Reply via email to