[opensuse-factory] openldap packages
HI! Since quite a while I'm maintaining my own version of OpenLDAP packages: https://build.opensuse.org/package/show/home:stroeder:branches:network:ldap/... The differences are documented in the .changes files. I've already tried to submit them upstream but the request got rejected [1] since I've removed all the OpenLDAP 2.3 cruft still sitting in the upstream package. I can somewhat understand the argument but I'd strongly recommend to build the compat package in a separate package since it has competely different source files. I'd be willing to actively maintain the OpenLDAP packages but not the ancient 2.3 stuff. What do people think about it? Ciao, Michael. [1] https://build.opensuse.org/request/show/289807
On Sat, 12 Sep 2015 10:52:05 +0200, Michael Ströder wrote:
HI!
Since quite a while I'm maintaining my own version of OpenLDAP packages:
https://build.opensuse.org/package/show/ home:stroeder:branches:network:ldap/openldap2
The differences are documented in the .changes files.
I've already tried to submit them upstream but the request got rejected [1] since I've removed all the OpenLDAP 2.3 cruft still sitting in the upstream package. I can somewhat understand the argument but I'd strongly recommend to build the compat package in a separate package since it has competely different source files.
I'd be willing to actively maintain the OpenLDAP packages but not the ancient 2.3 stuff.
What do people think about it?
Ciao, Michael.
I would love to see a more recent openldap package myself - I wonder if you saw the post I made on the build service ML. It looks like the official package, while versioned 2.4.39 is actually 2.3.37 (but -V actually reports 2.4.39), based on my own branching of the official package in an attempt to build the contrib 'allop' overlay, which I need for a project I'm working on. It would be nice if those contrib modules could also be included in a separate package. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jim Henderson wrote:
I would love to see a more recent openldap package myself - I wonder if you saw the post I made on the build service ML.
The original package can be updated pretty easily. But adding more feature packages is a hell to maintain.
It looks like the official package, while versioned 2.4.39 is actually 2.3.37 (but -V actually reports 2.4.39),
Not true. It is 2.4.39. Read the openldap2.spec file more carefully: It builds 2.3.43 tools etc. for automagic migration. But 2.3.x was set to ancient status years ago by the OpenLDAP project. Also I consider such a in-place migration to be pretty error-prone. => So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software). I put quite some effort into my variant of the package. But I'm not willing to manage the old bloat.
based on my own branching of the official package in an attempt to build the contrib 'allop' overlay, which I need for a project I'm working on.
It would be nice if those contrib modules could also be included in a separate package.
It's already there. ;-) https://build.opensuse.org/package/show/home:stroeder:branches:network:ldap/... rpm -qi openldap2-contrib Name : openldap2-contrib Version : 2.4.42 Release : 226.1 Architecture: x86_64 Install Date: Sat Sep 12 16:59:52 2015 Group : Productivity/Networking/LDAP/Servers Size : 174963 License : OLDAP-2.8 Signature : DSA/SHA1, Sat Sep 12 16:43:53 2015, Key ID 99fe5b2a85302c87 Source RPM : openldap2-2.4.42-226.1.src.rpm Build Date : Sat Sep 12 16:43:34 2015 Build Host : build83 Relocations : (not relocatable) Vendor : obs://build.opensuse.org/home:stroeder URL : http://www.openldap.org Summary : OpenLDAP Contrib Modules Description : Various overlays found in contrib/: allop allowed Generates attributes indicating access rights autogroup cloak denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) Distribution: home:stroeder:branches:network:ldap / openSUSE_Tumbleweed Ciao, Michael.
Hi Peter, what are the reason against the approach suggested by Michael? If you're not on the opensuse-factory list you're able to check the full thread at http://lists.opensuse.org/opensuse-factory/2015-09/msg00351.html I know from conversations with Ralf in the past that we intended to have the older tools available to dump the database _after_ the update of the operating system was performed. IIRC the main argument was the time needed for the dump. Therfore the hack with the 2.3 based tools. I'm not sure if that is really obsolete. We must keep this in mind while there might be other ways to address this. On Sun, Sep 13, 2015 at 11:26:01AM +0200, Michael Ströder wrote:
Jim Henderson wrote:
I would love to see a more recent openldap package myself - I wonder if you saw the post I made on the build service ML.
The original package can be updated pretty easily. But adding more feature packages is a hell to maintain.
It looks like the official package, while versioned 2.4.39 is actually 2.3.37 (but -V actually reports 2.4.39),
Not true. It is 2.4.39. Read the openldap2.spec file more carefully:
It builds 2.3.43 tools etc. for automagic migration. But 2.3.x was set to ancient status years ago by the OpenLDAP project. Also I consider such a in-place migration to be pretty error-prone.
@Michael: So how do you intend to address the migration instead? + the 437293 ppc64 obsoletes stuff got obsoleted. We had this in the past in the Samba spec too. bsc#437293 and this is one of the bugs which has valueable background information while the access is limited. I've added a note and requested to make it public. + there are some dangling spaces in the spec ;)
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Peter?
I put quite some effort into my variant of the package. But I'm not willing to manage the old bloat.
I expect we're able to find a way to cover both requirements. Cheers, Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team + SUSE Labs SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
Lars Müller wrote:
what are the reason against the approach suggested by Michael?
If you're not on the opensuse-factory list you're able to check the full thread at http://lists.opensuse.org/opensuse-factory/2015-09/msg00351.html
I know from conversations with Ralf in the past that we intended to have the older tools available to dump the database _after_ the update of the operating system was performed. IIRC the main argument was the time needed for the dump. Therfore the hack with the 2.3 based tools. I'm not sure if that is really obsolete. We must keep this in mind while there might be other ways to address this. [..] @Michael: So how do you intend to address the migration instead?
OpenLDAP 2.3 was set to status historic years ago. And everybody still running any SuSE version with OpenLDAP 2.3 will likely not be able to do an *in-place* upgrade to a recent version. Personally I distrust such automagic in-place migrations anyway. That's not what I would recommend to any of my customers running even a minor critical OpenLDAP deployment. One example: ACL processing changed from 2.3 to 2.4 so one has to adjust/test the configuration for such an upgrade anyway. Also today you should also migrate from back-bdb or back-hdb to back-mdb since the former got obsoleted now by the OpenLDAP project. I'm rather against automagic if you cannot make 100% sure that it works. Ciao, Michael.
Jim Henderson wrote:
I would love to see a more recent openldap package myself - I wonder if you saw the post I made on the build service ML.
The original package can be updated pretty easily. But adding more feature packages is a hell to maintain.
It looks like the official package, while versioned 2.4.39 is actually 2.3.37 (but -V actually reports 2.4.39),
Not true. It is 2.4.39. Read the openldap2.spec file more carefully:
It builds 2.3.43 tools etc. for automagic migration. But 2.3.x was set to ancient status years ago by the OpenLDAP project. True. The 2.3.X based builts of the slapcat tool were included for migrating from SLE10 to SLE11 (which already containted a 2.4 release). So I am not quite sure why that is still there. IMO it would be ok to remove that part from the
Hi Michael, On Sun, Sep 13, 2015 at 11:26:01AM +0200, Michael Ströder wrote: packages now. (Note, I might be missing something as I am not currently actively working on the packages)
Also I consider such a in-place migration to be pretty error-prone. To my knowledge it work quite ok for the SLE10 to 11 upgrade. But I agree to some extend with you. Though having that semiautomatic migration was a specific requirement for SLE11 back then.
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software). Yeah. The compat libldap is a bit different. That probably has to stay in some way (at least for SLE).
I put quite some effort into my variant of the package. But I'm not willing to manage the old bloat.
based on my own branching of the official package in an attempt to build the contrib 'allop' overlay, which I need for a project I'm working on.
It would be nice if those contrib modules could also be included in a separate package.
It's already there. ;-)
https://build.opensuse.org/package/show/home:stroeder:branches:network:ldap/...
rpm -qi openldap2-contrib [..]
Description : Various overlays found in contrib/: allop allowed Generates attributes indicating access rights autogroup cloak denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control nops pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled)
Nice! regards, Ralf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello Ralf, Ralf Haferkamp wrote:
True. The 2.3.X based builts of the slapcat tool were included for migrating from SLE10 to SLE11 (which already containted a 2.4 release). So I am not quite sure why that is still there. IMO it would be ok to remove that part from the packages now. (Note, I might be missing something as I am not currently actively working on the packages)
Though having that semiautomatic migration was a specific requirement for SLE11 back then.
Note that even the upstream package disabled SLE_11 builds and it does not work IIRC because of missing krb5-mini: https://build.opensuse.org/package/show/network:ldap/openldap2 In my package the builds for SLE_12 seems to work. But I can't test them since I don't have a SLE_12 machine.
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Yeah. The compat libldap is a bit different. That probably has to stay in some way (at least for SLE).
But who is going to maintain that? Likely not me because I can't test at all. So how to proceed from here? Could someone please start a new compat-libldap-2.3 package herein? https://build.opensuse.org/project/show/home:stroeder:branches:network:ldap Ciao, Michael.
Hi Michael, On Tue, Sep 15, 2015 at 08:21:35AM +0200, Michael Ströder wrote:
Hello Ralf,
Ralf Haferkamp wrote:
True. The 2.3.X based builts of the slapcat tool were included for migrating from SLE10 to SLE11 (which already containted a 2.4 release). So I am not quite sure why that is still there. IMO it would be ok to remove that part from the packages now. (Note, I might be missing something as I am not currently actively working on the packages)
Though having that semiautomatic migration was a specific requirement for SLE11 back then.
Note that even the upstream package disabled SLE_11 builds and it does not work IIRC because of missing krb5-mini:
https://build.opensuse.org/package/show/network:ldap/openldap2
In my package the builds for SLE_12 seems to work. But I can't test them since I don't have a SLE_12 machine.
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Yeah. The compat libldap is a bit different. That probably has to stay in some way (at least for SLE).
But who is going to maintain that? Likely not me because I can't test at all.
So how to proceed from here? Could someone please start a new compat-libldap-2.3 package herein? Yeah, that might be one solution. But I'd like to get Peter's or Howard's input on this. I put them on CC in case they are not subscribed here. I am not even sure if the compat libraries are still needed for SLE12. After all it's now almost 8 years after the 2.4 branch saw its first "stable" release.
https://build.opensuse.org/project/show/home:stroeder:branches:network:ldap
-- regards, Ralf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Ralf Haferkamp wrote:
On Tue, Sep 15, 2015 at 08:21:35AM +0200, Michael Ströder wrote:
Hello Ralf,
Ralf Haferkamp wrote:
True. The 2.3.X based builts of the slapcat tool were included for migrating from SLE10 to SLE11 (which already containted a 2.4 release). So I am not quite sure why that is still there. IMO it would be ok to remove that part from the packages now. (Note, I might be missing something as I am not currently actively working on the packages)
Though having that semiautomatic migration was a specific requirement for SLE11 back then.
Note that even the upstream package disabled SLE_11 builds and it does not work IIRC because of missing krb5-mini:
https://build.opensuse.org/package/show/network:ldap/openldap2
In my package the builds for SLE_12 seems to work. But I can't test them since I don't have a SLE_12 machine.
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Yeah. The compat libldap is a bit different. That probably has to stay in some way (at least for SLE).
But who is going to maintain that? Likely not me because I can't test at all.
So how to proceed from here? Could someone please start a new compat-libldap-2.3 package herein? Yeah, that might be one solution. But I'd like to get Peter's or Howard's input on this. I put them on CC in case they are not subscribed here. I am not even sure if the compat libraries are still needed for SLE12. After all it's now almost 8 years after the 2.4 branch saw its first "stable" release.
ping... @Peter and Howard: When could this be decided? Which information do you need? Ciao, Michael.
Hello All. Sorry for a delayed response. I just spoke with Peter and Peter reaffirms that the 2.3.x openldap client libraries are indeed in-use, but only by SAP products as far as we know. Due to the super-long life cycle of SAP products, the 2.3.x library cannot yet be removed from openSUSE. But it would be a great idea to totally split 2.3.x source code from openldap2 package. How do you like this idea? Kind regards, Howard On Sun, 20 Sep 2015, Michael Ströder wrote:
Ralf Haferkamp wrote:
On Tue, Sep 15, 2015 at 08:21:35AM +0200, Michael Ströder wrote:
Hello Ralf,
Ralf Haferkamp wrote:
True. The 2.3.X based builts of the slapcat tool were included for migrating from SLE10 to SLE11 (which already containted a 2.4 release). So I am not quite sure why that is still there. IMO it would be ok to remove that part from the packages now. (Note, I might be missing something as I am not currently actively working on the packages)
Though having that semiautomatic migration was a specific requirement for SLE11 back then.
Note that even the upstream package disabled SLE_11 builds and it does not work IIRC because of missing krb5-mini:
https://build.opensuse.org/package/show/network:ldap/openldap2
In my package the builds for SLE_12 seems to work. But I can't test them since I don't have a SLE_12 machine.
=> So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Yeah. The compat libldap is a bit different. That probably has to stay in some way (at least for SLE).
But who is going to maintain that? Likely not me because I can't test at all.
So how to proceed from here? Could someone please start a new compat-libldap-2.3 package herein? Yeah, that might be one solution. But I'd like to get Peter's or Howard's input on this. I put them on CC in case they are not subscribed here. I am not even sure if the compat libraries are still needed for SLE12. After all it's now almost 8 years after the 2.4 branch saw its first "stable" release.
ping...
@Peter and Howard: When could this be decided? Which information do you need?
Ciao, Michael.
Howard Guo [01.10.2015 12:53]:
Hello All.
Sorry for a delayed response.
I just spoke with Peter and Peter reaffirms that the 2.3.x openldap client libraries are indeed in-use, but only by SAP products as far as we know.
Due to the super-long life cycle of SAP products, the 2.3.x library cannot yet be removed from openSUSE. But it would be a great idea to totally split 2.3.x source code from openldap2 package.
How do you like this idea?
Kind regards, Howard
Howard, sorry, but who uses openSUSE to host a SAP system? My 13 SAP systems all use a SLES as base. It is stable, and of course I have a support contract for my productive systems and the others are covered with this contract as well. Isn't it possible to create a package like openldap{_client,}_legacy as an optional package for those who need it? Just my 2 ¢ Werner --
Hello Werner. It is a very good argument, in fact apart from SAP I do not know of any software that still depends on the ancient 2.3 library. I think there has been a recommendation to use openSUSE code as much as possible in SLES product. Since the 2.3 ldap library is not used much, there shouldn't be much effort required to keep it in openSUSE. Kind regards, Howard On Thu, 1 Oct 2015, Werner Flamme wrote:
Howard Guo [01.10.2015 12:53]:
Hello All.
Sorry for a delayed response.
I just spoke with Peter and Peter reaffirms that the 2.3.x openldap client libraries are indeed in-use, but only by SAP products as far as we know.
Due to the super-long life cycle of SAP products, the 2.3.x library cannot yet be removed from openSUSE. But it would be a great idea to totally split 2.3.x source code from openldap2 package.
How do you like this idea?
Kind regards, Howard
Howard,
sorry, but who uses openSUSE to host a SAP system? My 13 SAP systems all use a SLES as base. It is stable, and of course I have a support contract for my productive systems and the others are covered with this contract as well.
Isn't it possible to create a package like openldap{_client,}_legacy as an optional package for those who need it?
Just my 2 ¢ Werner
--
Howard Guo wrote:
It is a very good argument, in fact apart from SAP I do not know of any software that still depends on the ancient 2.3 library.
I think there has been a recommendation to use openSUSE code as much as possible in SLES product. Since the 2.3 ldap library is not used much, there shouldn't be much effort required to keep it in openSUSE.
It depends. There are also lots of compat packages in openSUSE. Who is going to prepare the OpenLDAP 2.3 compat package? Ciao, Michael.
Hello Michael. If you have some spare cycles, would you like to take the task? Don't worry otherwise I'll do it sometime next week. Kind regards, Howard On Thu, 1 Oct 2015, Michael Ströder wrote:
Howard Guo wrote:
It is a very good argument, in fact apart from SAP I do not know of any software that still depends on the ancient 2.3 library.
I think there has been a recommendation to use openSUSE code as much as possible in SLES product. Since the 2.3 ldap library is not used much, there shouldn't be much effort required to keep it in openSUSE.
It depends. There are also lots of compat packages in openSUSE.
Who is going to prepare the OpenLDAP 2.3 compat package?
Ciao, Michael.
Howard Guo wrote:
If you have some spare cycles, would you like to take the task?
Sorry, I have no spare cycles. And especially I don't have a system to test OpenLDAP 2.3 libs.
Don't worry otherwise I'll do it sometime next week.
I could do some work if you at least prepare the new 2.3 package besides the OpenLDAP package. Ciao, Michael.
Hello Michael, Werner, and all. The split of 2.3 source code from openldap package is done, please double check: https://build.opensuse.org/project/show/home:guohouzuo:newdap If everything looks good, I will push it to factory. Have a nice weekend! Kind Regards, Howard On Thu, 1 Oct 2015, Michael Ströder wrote:
Howard Guo wrote:
It is a very good argument, in fact apart from SAP I do not know of any software that still depends on the ancient 2.3 library.
I think there has been a recommendation to use openSUSE code as much as possible in SLES product. Since the 2.3 ldap library is not used much, there shouldn't be much effort required to keep it in openSUSE.
It depends. There are also lots of compat packages in openSUSE.
Who is going to prepare the OpenLDAP 2.3 compat package?
Ciao, Michael.
Howard Guo wrote:
The split of 2.3 source code from openldap package is done, please double check: https://build.opensuse.org/project/show/home:guohouzuo:newdap
If everything looks good, I will push it to factory.
I've reworked my stuff to be based on current network:ldap / openldap2 and submitted it: https://build.opensuse.org/request/show/339745 As discussed a bunch of changes hopefully completely documented in file openldap2.changes. Please review and test with great care! Some modifications reflect my personal preferences building OpenLDAP but might have to be discussed in detail. Ciao, Michael.
Howard Guo wrote:
Sorry for a delayed response.
I just spoke with Peter and Peter reaffirms that the 2.3.x openldap client libraries are indeed in-use, but only by SAP products as far as we know.
Due to the super-long life cycle of SAP products, the 2.3.x library cannot yet be removed from openSUSE. But it would be a great idea to totally split 2.3.x source code from openldap2 package.
How do you like this idea?
This was my initial suggestion. So I like this idea. ;-) Ciao, Michael.
On Sun, 13 Sep 2015 11:26:01 +0200, Michael Ströder wrote:
Jim Henderson wrote:
I would love to see a more recent openldap package myself - I wonder if you saw the post I made on the build service ML.
The original package can be updated pretty easily. But adding more feature packages is a hell to maintain.
It looks like the official package, while versioned 2.4.39 is actually 2.3.37 (but -V actually reports 2.4.39),
Not true. It is 2.4.39. Read the openldap2.spec file more carefully:
It builds 2.3.43 tools etc. for automagic migration. But 2.3.x was set to ancient status years ago by the OpenLDAP project. Also I consider such a in-place migration to be pretty error-prone. => So there's no point to maintain this 2.3.x cruft (except compat libldap 2.3.x for legacy binary software).
Ah, that makes sense. I had just tried adding the make command to build the allop module, and must've added it to the wrong place.
It would be nice if those contrib modules could also be included in a separate package.
It's already there. ;-)
Cool. :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Howard Guo -
Jim Henderson -
Lars Müller -
Michael Ströder -
Ralf Haferkamp -
Werner Flamme