Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names

[Pirate Praveen]

On 2/19/26 6:57 PM, Ondřej Kuzník wrote:
> 
> It could be related to actual (TLS?) startup which doesn't happen for
> slap* tool setup. If you start slapd by hand with `-d config` (or `-d
> any` if you want full output) does anything new show up on stderr? If it
> does start up just fine, then I'd look the way of how it's started
> (selinux/apparmor/... interference) as well but let's start from the
> bottom.

Interestingly running slapd manually seems to work.

These are the steps I did,

1. delete olcTLSCipherSuite: NORMAL
2. Set olcSecurity: tls=0
3. Remove ldaps:/// from slapd -h in systemd service file
4. Update source.list and install slapd from trixie
4. start with slapd -d config -h "ldap:/// ldapi:///"
5. Add olcTLSCipherSuite: HIGH
6. Remove olcSecurity: tls=0

Still systemctl start slapd fails, but systemd still cannot start.

Manually running this same command (after creating the directories and 
adjusting permissions) works fine, but somehow systemd is failing to 
start it.

# cat /etc/systemd/system/slapd.service.d/override.conf
[Service]
ExecStart=
ExecStartPre=/bin/mkdir -p /var/run/slapd
ExecStartPre=/bin/chown openldap:openldap /var/run/slapd
ExecStart=/usr/sbin/slapd -h "ldap:/// ldapi:///" -F /etc/ldap/slapd.d 
-u openldap -g openldap
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x8F53E0193B294B75.asc
Type: application/pgp-keys
Size: 4938 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260219/d5631363/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260219/d5631363/attachment.sig>