ITS#9045 Do not share cn=config entries with outside code

config_back_entry_get currently returns the entry directly without securing the rwlock, which is unsafe. However we can't keep holding it on return in case the caller decides to hold onto the entry indefinitely, hence rlock+entry_dup+runlock.