Bug#1109791: libldap-dev: The openldap library aborts with an assert on an error

[John Scott]

Hi Daniel!

Thanks for your report. I take an interest in OpenLDAP's Debian package and did some research, mainly for the sake of the more regular maintainers and helpers.

> The fact that openldap aborts on an assert implies that the Debian build is a debug one and not a release build, which seems wrong.
> The error is thus that Debian ships a debug build of OpenLDAP that gets used in production by curl (and others).
Yes, this does look weird. The Debian package specifies arguments to the configure script at https://salsa.debian.org/openldap-team/openldap/-/blob/master/debian/configure.options#L67 and there we do pass --enable-debug explicitly. This is just a coincidence and it's not actually the culprit though, because --enable-debug is OpenLDAP upstream's default, even in their release tarballs. At https://salsa.debian.org/openldap-team/openldap/-/blob/master/configure.ac#L230 the option is defined and at line 2507 the parameter is used. It appears the only scenario where the assertions aren't built in is when --disable-debug or --enable-debug=no are explicitly passed.

To confirm I removed --enable-debug from Debian's invocation of configure and noticed in the build tree that the generated include/portable.h header still defines LDAP_DEBUG as 1.

It appears that Debian uses the official release tarballs at https://openldap.org/software/download/OpenLDAP/openldap-release/ in making its packages (after discarding some contents and repacking it due mainly to licensing issues around documentation), and Debian's pristine-tar branch hints this was adhered to. 

> A library should not abort in production and the OpenLDAP library does not do that in release builds.
With all due respect, I wonder if you drew this conclusion hastily and I'm not sure it's accurate. Upstream's build/version.sh prints
OL_TYPE=Release
OL_STRING="OpenLDAP 2.6.10-Release"
although this only examines the source tree and doesn't depend on build configuration. It's not obvious that there is an option besides an explicit --disable-debug that would accomplish just that.

In conclusion, it looks like upstream's default to build assertions in and it's not obvious if downstream distributors are supposed to pass --disable-debug explicitly. Maybe advice is somewhere in their documentation, but otherwise I don't see any equivalent to, say, GCC's --enable-checking=release for example. Checking in with upstream to ensure this default is an intentional one would be a next step. In the meantime this doesn't look like an egregious misconfiguration and I expect other downstreams leave this default alone.

> The assert is probably an error too (but beside the point for this issue) and I have reported it upstream to OpenLDAP here:
> https://bugs.openldap.org/show_bug.cgi?id=10370
That was fixed quickly! Thanks for reporting to them as well.

> Kernel: Linux 6.12.27-amd64 (SMP w/24 CPU threads; PREEMPT)
P.S. Is this your new Framework by chance? I hope your install went well 🙂
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20250724/26271a21/attachment.sig>