Bug#512360: RFH: openldap -- OpenLDAP server, libraries, and utilities

Ryan Tandy ryan at nardis.ca
Sat Dec 5 20:36:00 GMT 2020 

I'm still looking for help with the OpenLDAP packages. I'm not an 
OpenLDAP user any more, and I would like to eventually hand off the 
package to a new maintainer.

The current 2.4 package is in OK shape. It's up-to-date in unstable and 
backports, and I'm able to handle the low volume of security updates and 
bug reports. I'm also responding to Debian-specific issues on the 
upstream support channels (lists/bugs/IRC). The status quo will probably 
be fine for bullseye; however, I'm not making much progress on 
developing or improving the package.

Here are some of the major projects that I would appreciate help with:

* Updating to OpenLDAP 2.5.

  The first 2.5 alpha has been released already. I hope the final 
  release will happen in time that we can transition to it for bookworm. 
  This will include a SONAME transition, which should be mostly painless 
  as the library API has not changed much.

  The bulk of the work will be to support slapd upgrades. The biggest 
  change is that the Berkeley DB backends (BDB and HDB) have been 
  removed. These were the default for Debian installations for a long 
  time and I know not all users have migrated to LMDB yet. We should 
  provide an automated migration from BDB/HDB to LMDB, as was done for 
  LDBM previously. There are also some old bugs in the maintainer 
  scripts for upgrading databases, which still need to be addressed.

  Upstream still supports both slapd.conf and cn=config configuration 
  (though slapd.conf is considered deprecated), so any upgrade path has 
  to support both.

* Overhauling the debian/copyright file.

  The copyright file is old and not in DEP5 format yet. We basically 
  need to do a full copyright review of the upstream source in order to 
  write a complete and correct DEP5 copyright file, and then commit to 
  maintaining it going forward.

  I don't know at all what the license of debian/* is supposed to be. We 
  might have to do some legwork of contacting previous maintainers and 
  trying to obtain copyright statements from them.

* Replacing the slapd init script with a systemd service.

  This is a smaller project, but still not as trivial as it sounds. The 
  init script supports a number of configuration variables, and it also 
  picks up some information dynamically from the slapd configuration. 
  This probably requires extracting some of the init script code to a 
  wrapper script for executing slapd with appropriate arguments.

  Supporting both slapd.conf and cn=config adds complexity here as well.

* Working with upstream on GnuTLS support.

  Upstream still supports GnuTLS, but reluctantly. They expect the 
  Debian maintainer to be actively involved with triaging and fixing 
  GnuTLS issues upstream.

  The autoca overlay is new in 2.5 and only supports OpenSSL right now. 
  Upstream are not likely to work on GnuTLS support; if we want to 
  include it in Debian, we probably have to add GnuTLS support 
  ourselves.

* Evaluating a possible switch back to OpenSSL.

  Upstream would prefer to drop the GnuTLS support, and have asked me to 
  investigate what issues on the Debian side are blocking it.

  I don't fully understand Debian's current position on OpenSSL 
  licensing and hope ftp-master will provide a more detailed statement 
  soon. This might require auditing the reverse-depends of libldap in 
  Debian and checking whether there is still GPL- or GPL2-only code 
  linking with libldap; I'm not sure.

  In any case, a switch to OpenSSL is likely to be a disruptive event 
  for all users (for example, the TLS cipher suite configuration is 
  completely incompatible) and must be approached with caution.

  If there are no blockers on the Debian side, dropping GnuTLS support 
  upstream could happen as soon as OpenLDAP 2.6.

* Working with Ubuntu to reduce their delta.

  The Ubuntu maintainers would like to reduce the delta in their 
  package. There are some changes that can be dropped during the 
  transition to 2.5 (such as the legacy GSSAPI support). There are also 
  some pieces that could be adopted in Debian (such as the apparmor and 
  ufw profiles), if we can determine the license and copyright for them.


I'm happy to provide mentoring or reviews, and to sponsor uploads, for 
anyone who would like to work on the package. If you have an interest in 
the future of OpenLDAP in Debian, please get in touch!

More information about the Pkg-openldap-devel mailing list