On 7/31/21 1:26 PM, Philipp Wagner wrote:
Someone submitted an update to OpenLDAP 2.5. https://build.opensuse.org/request/show/909449
That someone was me.
Personally I have no objections to simply accept your request. But I'm pretty sure, someone (not me!), has to deal with the fallout. Therefore I wanted to draw some attention to your request.
Here's a bit of background: I need the client side (libldap/ldapsearch) of OpenLDAP 2.5 to support SNI (Server Name Indication) over TLS 1.3, configuration that is needed to access "Google Secure LDAP" with the OpenSSL version we have in Tumbleweed. There are more libldap options I'd also like to see in Tumbleweed.
So here's the request: If you're currently running an OpenLDAP server on Tumbleweed, or have a more sophisticated LDAP-related setup, could you give the new OpenLDAP 2.5 packages a try?
I have two flavors of my own OpenLDAP 2.5 packages I'm already testing for a while, e.g. for my Æ-DIR: https://build.opensuse.org/project/show/home:stroeder:openldap25 IMHO Æ-DIR counts as a more complex OpenLDAP setup and therefore I know that there are breaking changes. Personally I'm still using static config (aka slapd.conf) and thus I can always easily adapt this static config for 2.5, bringing up slapd again without nasty blocker issues. But if people are using back-config (aka cn=config) they would e.g. first have to remove ppolicy module, overlay config and schema from cn=config, restart slapd, and then re-add ppolicy module and overlay config. If people are still using back-bdb or back-hdb it has to be decided whether that should be still built. Still building back-bdb/-hdb contradicts SUSE's attempt to get rid of Berkeley-DB and has no real upstream support anymore. And personally I don't want to waste my time implementing repair scripts like this for smooth upgrade: https://build.opensuse.org/package/view_file/network:ldap/openldap2/fixup-mo...
Another thing to check for: OpenLDAP used to provide a thread-safe library "libldap_r". In OpenSUSE (and Fedora at least), we symlinked this library to "libldap" for a while. In OpenLDAP 2.5 the "libldap_r" library is gone and one should always use "libldap". [..] [..] we can introduce a compat-symlink to libldap_r.
I don't see a reason why not to create a compat-symlink to libldap_r. That's what I already did in my home:stroeder:openldap25/openldap2. Ciao, Michael.