Bug#1128375: slapd upgrade to trixie breaks due to incompatible cipher names
Pirate Praveen
praveen at debian.org
Fri Feb 20 20:30:54 GMT 2026
On 2/20/26 11:38 PM, Ryan Tandy wrote:
> Hi Praveen,
>
> On Fri, Feb 20, 2026 at 07:59:28PM +0530, Pirate Praveen wrote:
>> I think we still need to document how to actually do the migration if
>> someone has set a value for olcTLSCipherSuites.
>>
>> My draft for this document (I think this should be included in trixie
>> in a stable update and referenced in release notes:
>
> The text I originally submitted for the release notes specifically
> called out the cipher suite option, however the editors removed it since
> it duplicated the same info from debian/NEWS.
>
> https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/
> debian/NEWS
>
> slapd's README.Debian has a section (at the bottom) about the 2.6
> upgrade, and steps for recovering after the upgrade, when the service
> won't start:
>
> https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/
> debian/slapd.README.Debian
>
libldap2 package's NEWS has
"For more information about the slapd(8) configuration, see
/usr/share/doc/slapd/README.Debian.gz."
This did not give a hint that upgrade issues would also be covered
there. May be make an explicit reference to this file.
"For more information about the slapd(8) configuration and GNUtls to
OpenSSL backend migration issues, see
/usr/share/doc/slapd/README.Debian.gz."
> You're right that I could have done better by providing steps to avoid
> breaking the service in the first place.
I think we can still do it as many people would still benefit from a
clearer documentation.
>> You might want to remove
>> /etc/systemd/system/slapd.service.d/override.conf as runtime
>> directories are now handled correctly in the systemd service file.
>
> I don't know what this file is. The slapd package has never installed or
> created it. Something local on your end?
This was probably a local change. Not sure if earlier versions correctly
handled creating the run directories using systemd services.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x8F53E0193B294B75.asc
Type: application/pgp-keys
Size: 4938 bytes
Desc: OpenPGP public key
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260221/e31e2f8a/attachment.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20260221/e31e2f8a/attachment.sig>
More information about the Pkg-openldap-devel
mailing list