[Pkg-openldap-devel] Bug#412706: Bug#412706: Debian-only bug?
Russ Allbery
rra at debian.org
Wed Aug 29 18:05:00 UTC 2007
Bas van Schaik <bas at tuxes.nl> writes:
> Upstream marks this bug as "Debian only" with a reasonable explanation:
>> Problems with SSL on Debian are well known, and it is due to the fact
>> that they long ago patched OpenLDAP 2.1 to compile against GnuTLS
>> (note, I don't say *work*, just compile).
It does work in some cases, but yes, it doesn't work well.
>> When you use their 2.2 and 2.3 packages, and their libraries get
>> loaded into the same user space as the 2.1 libraries (which are always
>> installed), then SSL/TLS stop working. There is *nothing* the OpenLDAP
>> folks can do about this.
> (http://www.openldap.org/lists/openldap-software/200702/msg00407.html)
> The Debian readme file also talks about TLS:
>> This version of the OpenLDAP server and its library is compiled with the
>> OpenSSL library as supported by the upstream sources. Other packages
>> are not allowed to link against this version of OpenLDAP (or rather
>> its library) but this way we have a working OpenLDAP server.
>>
>> Client packages will have to continue using the old libldap2 package
>> for ldap access as that version is linked against GNUTLS to allow
>> for example dynamic linking into Samba. We are working on updating that
>> GNUTLS patch for OpenLDAP 2.2 and getting it into the upstream package.
Which has now been done, although it took more time and resources than
expected.
>> When that is accomplished the old libldap2 packages will disappear
>> and OpenLDAP 2.2 will be used together with GNUTLS in Debian.
> Those explanation seem to conflict, don't they?
No... what are you seeing that conflicts?
slapd ships with current libraries built against OpenSSL, so if you can
avoid loading the LDAP client libraries in Debian into the same namespace,
the server TLS support will work. The *client* TLS support in Debian has
various problems and instabilities, plus the client LDAP libraries are
ancient and suffer from all of the bugs fixed since.
> Until this bug is fixed it's impossible to use client certificates under
> Debian, quite an important bug. Can someone provide an indication when
> will be fixed?
When upstream releases OpenLDAP 2.4, which has real GnuTLS support.
Once upstream releases OpenLDAP 2.4.5, we should probably consider
packaging it for unstable and starting to test, although I expect a lot of
stuff to break. 2.4.5 will still only be a beta. But a beta that unifies
the libraries at least has the potential to be more stable than the
current state, and hopefully we can then help accelerate the 2.4.x
development cycle with more testing so that lenny can release with a
stable 2.4 package.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the Pkg-openldap-devel
mailing list