Hi all,
I answer to your replies, good news: I found the problem.
@ Howard
Thank you for told me that this is not a bug, it was a good point to start from.
@ Michael
the back-sock listener is the same for Debian9 and for Debian10, the most important information is that neither "servers/slapd/back-sock/
searchexample.pl" worked on Debian10, but only on Debian9. The back-sock listener is a gevent python3 server. Thank you for apparmor hints, I found this information reading openldap archives. On Debian10 we do not have SElinux but only apparmor, I confirm all you wrote.
I just made some mistake in ACL, because I can read results with
"ldapsearch -H ldapi:// -Y EXTERNAL -b "dc=proxy,dc=myorg,dc=it""
but not with
ldapsearch -H ldap://localhost:389 -D "cn=admin,dc=myorg,dc=it" -w slapdsecret -b "dc=proxy,dc=myorg,dc=it"
So I understood it was a silly ACL problem behind this.
I just added an ACL as follow and everything works fine!
````
export BASEDC="dc=myorganization,dc=it"
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={4}sock,cn=config
changeType: modify
add: olcAccess
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: to dn.subtree="ou=people,$BASEDC"
by dn.children="ou=auth,$BASEDC" read
by self read
by * break
olcAccess: to *
by anonymous auth
by * break
EOF
````
the question about Debian9 / Debian10 derived from different ldapsearch authentication methods,
Thank you all for your time