external_auth suites are not something we have previously enabled / supported on Debian variants.

However it may be straightforward to enable these and expand test coverage. According to varun.ravichandran@mongodb.com:

I believe external_auth was initially failing due to 2 tests: ldap_authz_bind.js and ldap_tool_ocsp.js.

ldap_authz_bind.js was failing because OpenLDAP uses GnuTLS on Debian. GnuTLS doesn't support SHA-1 signed certificate anymore, which is what ldaptest.10gen.cc uses. ldap_authz_bind.js and ldap_tls.js are the only LDAP tests that use TLS when connecting to ldaptest.10gen.cc, and ldap_tls.js already has a check that prevents it from running on anything but RHEL. ldap_authz_bind.js was already being skipped on Ubuntu (which also uses GnuTLS), so I extended this check to also account for Amazon Linux 2023 and Debian. Now, that test doesn't fail anymore.

ldap_tool_ocsp.js fails because it is unable to start a Python mock OCSP server. The error indicates that oscrypto was unable to determine the version of libcrypto on the machine. This appears to be a bug on oscrypto 1.3.0 and OpenSSL 3.0 that has since been patched. So we could probably fix this also by pinning oscrypto to a higher version (1.3.1) or by simply skipping this test also on Debian and other distros that have OpenSSL 3.0.

Since there's only 1 test left failing, I wonder if it would be worth it to just target the fix for that appropriately rather than blocking external_auth on Debian entirely? We would be getting a decent amount of additional test coverage from this as compared to blocking the entire suite.