From praveen at debian.org Wed Feb 18 23:13:25 2026 From: praveen at debian.org (Pirate Praveen) Date: Thu, 19 Feb 2026 04:43:25 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names Message-ID: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Package: slapd Version: 2.6.10+dfsg-1 Severity: important X-Debbugs-Cc: praveen at debian.org Dear Maintainer, * What led up to the situation? Upgrading (apt dist-upgrade) to trixie from bookworm * What exactly did you do (or not do) that was effective (or ineffective)? New version of slapd switched SSL backend to OpenSSL from GNUtls as documented in libldap2 NEWS file. * What was the outcome of this action? But how to actually update the values in a way that will fix the issue is not documented. * What outcome did you expect instead? The exact steps to have a successful upgrade should be documented. Here is the error in log, main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match In bookworm the value that works is, olcTLSCipherSuite: NORMAL But it will not work in trixie. Removing this entry did not fix the issue. # cat delete-ciphers.ldif dn: cn=config changetype: modify delete: olcTLSCipherSuite olcTLSCipherSuite: NORMAL ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif This just removes the error message, but slapd does not start after the upgrade. 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown requested and initiated. 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown: waiting for 0 operations/tasks to finish 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped. publicai.co suggested some values like but none of the suggested values works with gnutls ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 # cat OpenSSL.ldif dn: cn=config changetype: modify delete: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCipherSuite olcTLSCipherSuite: DHE-RSA-AES256-GCM-SHA384 # ldapmodify -Y EXTERNAL -H ldapi:/// -f ./OpenSSL.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=config" ldap_modify: Other (e.g., implementation specific) error (80) -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.16.8+deb14-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages slapd depends on: ii adduser 3.153 ii debconf [debconf-2.0] 1.5.91 ii init-system-helpers 1.69 ii libargon2-1 0~20190702+dfsg-5 ii libc6 2.42-11 ii libcrypt1 1:4.4.38-1 ii libldap2 2.6.10+dfsg-1 ii libltdl7 2.5.4-5 pn libodbc2 ii libperl5.40 5.40.1-6 ii libsasl2-2 2.1.28+dfsg1-9 ii libwrap0 7.6.q-36 ii psmisc 23.7-2 Versions of packages slapd recommends: pn ldap-utils Versions of packages slapd suggests: ii libsasl2-modules 2.1.28+dfsg1-9 pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimd al From ondra at mistotebe.net Thu Feb 19 10:00:55 2026 From: ondra at mistotebe.net (=?utf-8?B?T25kxZllaiBLdXpuw61r?=) Date: Thu, 19 Feb 2026 11:00:55 +0100 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: On Thu, Feb 19, 2026 at 04:43:25AM +0530, Pirate Praveen wrote: > New version of slapd switched SSL backend to OpenSSL from GNUtls as documented > in libldap2 NEWS file. > > But how to actually update the values in a way that will fix the issue is not > documented. > > * What outcome did you expect instead? > > The exact steps to have a successful upgrade should be documented. > > Here is the error in log, > > main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match > > In bookworm the value that works is, > > olcTLSCipherSuite: NORMAL > > But it will not work in trixie. Removing this entry did not fix the issue. > > # cat delete-ciphers.ldif > dn: cn=config > changetype: modify > delete: olcTLSCipherSuite > olcTLSCipherSuite: NORMAL > > ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif > > This just removes the error message, but slapd does not start after the > upgrade. > > 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP: > slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers > > 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting > 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown > requested and initiated. > 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown: > waiting for 0 operations/tasks to finish > 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped. Good morning, like you said, can't see any errors here, however some library messages are not sent to syslog so you might get more details about the error from stderr. You should probably run slaptest with the appropriate debug flags enabled (`-d flag,flag,...`, should probably include at least `config`) to check that it's happy with the rest of the configuration and see whether anything else comes up. Other than that, yes, you can generally remove the attribute before upgrade and either leave it to whatever OpenSSL considers default or add whatever is appropriate for your environment after you've switched. Same with any other attributes you might come across this way. Regards, -- Ond?ej Kuzn?k Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP From praveen at debian.org Thu Feb 19 12:29:55 2026 From: praveen at debian.org (Pirate Praveen) Date: Thu, 19 Feb 2026 17:59:55 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org> On 2/19/26 3:30 PM, Ond?ej Kuzn?k wrote: > On Thu, Feb 19, 2026 at 04:43:25AM +0530, Pirate Praveen wrote: >> New version of slapd switched SSL backend to OpenSSL from GNUtls as documented >> in libldap2 NEWS file. >> >> But how to actually update the values in a way that will fix the issue is not >> documented. >> >> * What outcome did you expect instead? >> >> The exact steps to have a successful upgrade should be documented. >> >> Here is the error in log, >> >> main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match >> >> In bookworm the value that works is, >> >> olcTLSCipherSuite: NORMAL >> >> But it will not work in trixie. Removing this entry did not fix the issue. >> >> # cat delete-ciphers.ldif >> dn: cn=config >> changetype: modify >> delete: olcTLSCipherSuite >> olcTLSCipherSuite: NORMAL >> >> ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif >> >> This just removes the error message, but slapd does not start after the >> upgrade. >> >> 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP: >> slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers >> >> 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting >> 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown >> requested and initiated. >> 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown: >> waiting for 0 operations/tasks to finish >> 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped. > > Good morning, > like you said, can't see any errors here, however some library messages > are not sent to syslog so you might get more details about the error > from stderr. You should probably run slaptest with the appropriate debug > flags enabled (`-d flag,flag,...`, should probably include at least > `config`) to check that it's happy with the rest of the configuration > and see whether anything else comes up. > Nothing turned up with slaptest -d config # slaptest -d config loaded module back_mdb module back_mdb: null module registered index objectClass 0x0004 index cn 0x0004 index uid 0x0004 index uidNumber 0x0004 index gidNumber 0x0004 index member 0x0004 index memberUid 0x0004 index email 0x0004 index mail 0x0004 mdb_monitor_db_open: monitoring disabled; configure monitor datab ase to enable config file testing succeeded > Other than that, yes, you can generally remove the attribute before > upgrade and either leave it to whatever OpenSSL considers default or add > whatever is appropriate for your environment after you've switched. Same > with any other attributes you might come across this way. With slaptest not giving any errors, I wonder which other attribute is problematic. These are the other options we set, dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3 I will try deleting these one by one as well (deleting olcTLSCipherSuite was tried already). > Regards, > -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From praveen at debian.org Thu Feb 19 13:15:24 2026 From: praveen at debian.org (Pirate Praveen) Date: Thu, 19 Feb 2026 18:45:24 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org> References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: On 2/19/26 5:59 PM, Pirate Praveen wrote: > These are the other options we set, > > dn: cn=config > changetype: modify > add: olcTLSCipherSuite > olcTLSCipherSuite: NORMAL > - > add: olcTLSCRLCheck > olcTLSCRLCheck: none > - > add: olcTLSVerifyClient > olcTLSVerifyClient: never > - > add: olcTLSProtocolMin > olcTLSProtocolMin: 3.3 > > I will try deleting these one by one as well (deleting olcTLSCipherSuite > was tried already). Same results after removing these options as well. slapd won't start after the upgrade and no other clue in the log other than just stopping after it tries to start. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From ondra at mistotebe.net Thu Feb 19 13:27:20 2026 From: ondra at mistotebe.net (=?utf-8?B?T25kxZllaiBLdXpuw61r?=) Date: Thu, 19 Feb 2026 14:27:20 +0100 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: On Thu, Feb 19, 2026 at 06:45:24PM +0530, Pirate Praveen wrote: > On 2/19/26 5:59 PM, Pirate Praveen wrote: >> These are the other options we set, >> >> dn: cn=config >> changetype: modify >> add: olcTLSCipherSuite >> olcTLSCipherSuite: NORMAL >> - >> add: olcTLSCRLCheck >> olcTLSCRLCheck: none >> - >> add: olcTLSVerifyClient >> olcTLSVerifyClient: never >> - >> add: olcTLSProtocolMin >> olcTLSProtocolMin: 3.3 >> >> I will try deleting these one by one as well (deleting olcTLSCipherSuite >> was tried already). > > Same results after removing these options as well. slapd won't start after > the upgrade and no other clue in the log other than just stopping after it > tries to start. It could be related to actual (TLS?) startup which doesn't happen for slap* tool setup. If you start slapd by hand with `-d config` (or `-d any` if you want full output) does anything new show up on stderr? If it does start up just fine, then I'd look the way of how it's started (selinux/apparmor/... interference) as well but let's start from the bottom. Regards, -- Ond?ej Kuzn?k Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP From praveen at debian.org Thu Feb 19 15:43:57 2026 From: praveen at debian.org (Pirate Praveen) Date: Thu, 19 Feb 2026 21:13:57 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: On 2/19/26 6:57 PM, Ond?ej Kuzn?k wrote: > > It could be related to actual (TLS?) startup which doesn't happen for > slap* tool setup. If you start slapd by hand with `-d config` (or `-d > any` if you want full output) does anything new show up on stderr? If it > does start up just fine, then I'd look the way of how it's started > (selinux/apparmor/... interference) as well but let's start from the > bottom. Interestingly running slapd manually seems to work. These are the steps I did, 1. delete olcTLSCipherSuite: NORMAL 2. Set olcSecurity: tls=0 3. Remove ldaps:/// from slapd -h in systemd service file 4. Update source.list and install slapd from trixie 4. start with slapd -d config -h "ldap:/// ldapi:///" 5. Add olcTLSCipherSuite: HIGH 6. Remove olcSecurity: tls=0 Still systemctl start slapd fails, but systemd still cannot start. Manually running this same command (after creating the directories and adjusting permissions) works fine, but somehow systemd is failing to start it. # cat /etc/systemd/system/slapd.service.d/override.conf [Service] ExecStart= ExecStartPre=/bin/mkdir -p /var/run/slapd ExecStartPre=/bin/chown openldap:openldap /var/run/slapd ExecStart=/usr/sbin/slapd -h "ldap:/// ldapi:///" -F /etc/ldap/slapd.d -u openldap -g openldap -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From ondra at mistotebe.net Thu Feb 19 16:42:10 2026 From: ondra at mistotebe.net (=?utf-8?B?T25kxZllaiBLdXpuw61r?=) Date: Thu, 19 Feb 2026 17:42:10 +0100 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org>

<177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: On Thu, Feb 19, 2026 at 09:13:57PM +0530, Pirate Praveen wrote: > On 2/19/26 6:57 PM, Ond?ej Kuzn?k wrote: >> It could be related to actual (TLS?) startup which doesn't happen for >> slap* tool setup. If you start slapd by hand with `-d config` (or `-d >> any` if you want full output) does anything new show up on stderr? If it >> does start up just fine, then I'd look the way of how it's started >> (selinux/apparmor/... interference) as well but let's start from the >> bottom. > > Interestingly running slapd manually seems to work. > > These are the steps I did, > > 1. delete olcTLSCipherSuite: NORMAL > 2. Set olcSecurity: tls=0 > 3. Remove ldaps:/// from slapd -h in systemd service file > 4. Update source.list and install slapd from trixie > 4. start with slapd -d config -h "ldap:/// ldapi:///" > 5. Add olcTLSCipherSuite: HIGH > 6. Remove olcSecurity: tls=0 > > Still systemctl start slapd fails, but systemd still cannot start. > > Manually running this same command (after creating the directories and > adjusting permissions) works fine, but somehow systemd is failing to start > it. > > # cat /etc/systemd/system/slapd.service.d/override.conf > [Service] > ExecStart= > ExecStartPre=/bin/mkdir -p /var/run/slapd > ExecStartPre=/bin/chown openldap:openldap /var/run/slapd > ExecStart=/usr/sbin/slapd -h "ldap:/// ldapi:///" -F /etc/ldap/slapd.d -u > openldap -g openldap If it starts up from the shell, then it definitely sounds like an issue with how systemd sets up the environment. Likely sandboxing or something similar. Add -d to the ExecStart invocation (and potentially olcLogFile: to cn=config if you can't/don't want to read stderr) and see where you get. What does systemctl cat slapd.service say? Is there anything in the kernel audit logs to indicate apparmor issues (and what does aa-status say about slapd?) Regards, -- Ond?ej Kuzn?k Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP From praveen at debian.org Fri Feb 20 14:29:28 2026 From: praveen at debian.org (Pirate Praveen) Date: Fri, 20 Feb 2026 19:59:28 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org>

<177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: <0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> On 2/19/26 10:12 PM, Ond?ej Kuzn?k wrote: > On Thu, Feb 19, 2026 at 09:13:57PM +0530, Pirate Praveen wrote: >> On 2/19/26 6:57 PM, Ond?ej Kuzn?k wrote: >>> It could be related to actual (TLS?) startup which doesn't happen for >>> slap* tool setup. If you start slapd by hand with `-d config` (or `-d >>> any` if you want full output) does anything new show up on stderr? If it >>> does start up just fine, then I'd look the way of how it's started >>> (selinux/apparmor/... interference) as well but let's start from the >>> bottom. >> >> Interestingly running slapd manually seems to work. >> >> These are the steps I did, >> >> 1. delete olcTLSCipherSuite: NORMAL >> 2. Set olcSecurity: tls=0 >> 3. Remove ldaps:/// from slapd -h in systemd service file >> 4. Update source.list and install slapd from trixie >> 4. start with slapd -d config -h "ldap:/// ldapi:///" >> 5. Add olcTLSCipherSuite: HIGH >> 6. Remove olcSecurity: tls=0 >> >> Still systemctl start slapd fails, but systemd still cannot start. >> >> Manually running this same command (after creating the directories and >> adjusting permissions) works fine, but somehow systemd is failing to start >> it. >> >> # cat /etc/systemd/system/slapd.service.d/override.conf >> [Service] >> ExecStart= >> ExecStartPre=/bin/mkdir -p /var/run/slapd >> ExecStartPre=/bin/chown openldap:openldap /var/run/slapd >> ExecStart=/usr/sbin/slapd -h "ldap:/// ldapi:///" -F /etc/ldap/slapd.d -u >> openldap -g openldap > > If it starts up from the shell, then it definitely sounds like an issue > with how systemd sets up the environment. Likely sandboxing or something > similar. Add -d to the ExecStart invocation (and potentially olcLogFile: > to cn=config if you can't/don't want to read stderr) and see > where you get. ExecStart=sh -c 'mkdir -p /run/slapd; \ chown "$SLAPD_USER":"$SLAPD_GROUP" /run/slapd; \ [ -d "$SLAPD_CONF" ] && confflag=-F || confflag=-f; \ exec /usr/sbin/slapd -d0 \ ${SLAPD_SERVICES:+-h "$SLAPD_SERVICES"} \ ${SLAPD_USER:+-u "$SLAPD_USER"} \ ${SLAPD_GROUP:+-g "$SLAPD_GROUP"} \ ${SLAPD_CONF:+$confflag "$SLAPD_CONF"} \ $SLAPD_OPTIONS' I think /run/slapd vs /var/run/slapd in override file was conflicting. After removing the override, slapd is starting now. I think we still need to document how to actually do the migration if someone has set a value for olcTLSCipherSuites. My draft for this document (I think this should be included in trixie in a stable update and referenced in release notes: Since cipher suite names are not compatible between GNUtls and OpenSSL, if you have set any value for this variable, you will need to delete this variable before the upgrade, and set a suitable value after the upgrade is completed. If you don't remove any incompatible options, you will see this error in slapd logs after the upgrade and slapd service will fail to start. main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match You can run this command to see if any value is set, ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep olcTLSCipherSuite For example, if you have set this to NORMAL, you need to create an ldif file # cat delete-ciphersuite.ldif dn: cn=config changetype: modify delete: olcTLSCipherSuite olcTLSCipherSuite: NORMAL and run ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphersuite.ldif You can set a suitable value compatible with OpenSSL after the upgrade. # cat add-ciphersuite.ldif dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: HIGH ldapmodify -Y EXTERNAL -H ldapi:/// -f ./add-ciphersuite.ldif You might want to remove /etc/systemd/system/slapd.service.d/override.conf as runtime directories are now handled correctly in the systemd service file. > > What does systemctl cat slapd.service say? Is there anything in the > kernel audit logs to indicate apparmor issues (and what does aa-status > say about slapd?) > > Regards, > -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From praveen at debian.org Fri Feb 20 17:25:36 2026 From: praveen at debian.org (Pirate Praveen) Date: Fri, 20 Feb 2026 22:55:36 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: <0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org>

<0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: <29f932b7-3d83-411f-993b-dfdd65df92d3@debian.org> On 2/20/26 7:59 PM, Pirate Praveen wrote: > If you don't remove any incompatible options, you will see this error in > slapd logs after the upgrade and slapd service will fail to start. > > main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher > match > > You can run this command to see if any value is set, > > ldapsearch -Y EXTERNAL > ?-H ldapi:/// -b cn=config -s base|grep olcTLSCipherSuite I think we should also check for this variable and abort upgrade as there is no way to recover it after it is upgraded (except may be modifying the db directly) as slapd won't start. If this is detected, we should show a warning and give the migration steps documentation reference and ask for explicit confirmation before proceeding with upgrade. I just tried with olcSecurity: tls=0 before upgrade, but I'm not able to start it with just "ldap:/// and ldapi:///" options. Is there another way to disable TLS completely to repair an broken upgrade? -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From ryan at nardis.ca Fri Feb 20 18:08:22 2026 From: ryan at nardis.ca (Ryan Tandy) Date: Fri, 20 Feb 2026 10:08:22 -0800 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: <0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org>

<177145640518.1159012.2972688301281253570.reportbug@mahishi2> <0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: Hi Praveen, On Fri, Feb 20, 2026 at 07:59:28PM +0530, Pirate Praveen wrote: >I think we still need to document how to actually do the migration if >someone has set a value for olcTLSCipherSuites. > >My draft for this document (I think this should be included in trixie >in a stable update and referenced in release notes: The text I originally submitted for the release notes specifically called out the cipher suite option, however the editors removed it since it duplicated the same info from debian/NEWS. https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/debian/NEWS slapd's README.Debian has a section (at the bottom) about the 2.6 upgrade, and steps for recovering after the upgrade, when the service won't start: https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/debian/slapd.README.Debian You're right that I could have done better by providing steps to avoid breaking the service in the first place. >You might want to remove >/etc/systemd/system/slapd.service.d/override.conf as runtime >directories are now handled correctly in the systemd service file. I don't know what this file is. The slapd package has never installed or created it. Something local on your end? From praveen at debian.org Fri Feb 20 20:30:54 2026 From: praveen at debian.org (Pirate Praveen) Date: Sat, 21 Feb 2026 02:00:54 +0530 Subject: Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names In-Reply-To: References: <177145640518.1159012.2972688301281253570.reportbug@mahishi2> <85f9a42e-dab2-4bae-85a9-8705bf237239@debian.org>

<177145640518.1159012.2972688301281253570.reportbug@mahishi2> <0c945197-2e9a-4a52-b75b-139cc8615d13@debian.org> <177145640518.1159012.2972688301281253570.reportbug@mahishi2> Message-ID: <501b21d3-da9c-4d16-8236-37c4f77fa167@debian.org> On 2/20/26 11:38 PM, Ryan Tandy wrote: > Hi Praveen, > > On Fri, Feb 20, 2026 at 07:59:28PM +0530, Pirate Praveen wrote: >> I think we still need to document how to actually do the migration if >> someone has set a value for olcTLSCipherSuites. >> >> My draft for this document (I think this should be included in trixie >> in a stable update and referenced in release notes: > > The text I originally submitted for the release notes specifically > called out the cipher suite option, however the editors removed it since > it duplicated the same info from debian/NEWS. > > https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/ > debian/NEWS > > slapd's README.Debian has a section (at the bottom) about the 2.6 > upgrade, and steps for recovering after the upgrade, when the service > won't start: > > https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/ > debian/slapd.README.Debian > libldap2 package's NEWS has "For more information about the slapd(8) configuration, see /usr/share/doc/slapd/README.Debian.gz." This did not give a hint that upgrade issues would also be covered there. May be make an explicit reference to this file. "For more information about the slapd(8) configuration and GNUtls to OpenSSL backend migration issues, see /usr/share/doc/slapd/README.Debian.gz." > You're right that I could have done better by providing steps to avoid > breaking the service in the first place. I think we can still do it as many people would still benefit from a clearer documentation. >> You might want to remove >> /etc/systemd/system/slapd.service.d/override.conf as runtime >> directories are now handled correctly in the systemd service file. > > I don't know what this file is. The slapd package has never installed or > created it. Something local on your end? This was probably a local change. Not sure if earlier versions correctly handled creating the run directories using systemd services. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0x8F53E0193B294B75.asc Type: application/pgp-keys Size: 4938 bytes Desc: OpenPGP public key URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: