Richard A Nelson <cow...@debian.org> writes: > Indeed, and this causes significant pain for Debian users in a lot of > environments. > * GnuTLS does not negotiate well with some corporate SSL libraries and > the kluge patches applied to products like OpenLDAP don't offer the > ability to turn of TLS 1.1 negotiation
> * GnuTLS has other issues (fairly old, but still interesting): > http://www.openldap.org/lists/openldap-devel/200802/msg00072.html > * Couple this with the fact that our OpenLDAP packages are not new > enough for multi-master support, and even one of the maintainers > recommends not using Debian slapd package for 'Production use' - > and you wind up with a variant of 'DLL Hell', but at least dpkg > properly reports all failing/conflicting dependencies. > Note: This would be so much easier if I only needed slapd compiled > against OpenSSL ... but alas, that is not the case :( I am certain that all of the problems with the Debian OpenLDAP packages are resolvable without switching away from GnuTLS. The problem is that the OpenLDAP packaging team in Debian has almost no resources. Neither Steve nor I have any time to spend on it, and I at least got involved only out of self-defense since the package in danger of being unmaintained. (I think the same may also be true of Steve.) There's a long-standing RFH which has gotten a fair number of responses, but no one involved on the team really has time to mentor people in how to work on Debian packaging either and so far the responses haven't translated into people with free time and the necessary skills to jump in and help. We would greatly appreciate the help of an experienced Debian packager to bring the package up to date and to track down the TLS interaction problems with GnuTLS. Upstream for GnuTLS is quite responsive, and upstream for OpenLDAP, while not very fond of GnuTLS, has always been willing to take patches if someone can clearly explain the issue. >> Or is there another way? > For interoperability, OpenSSL is much better, but there is apparently > still some amount of work to be done on license exemptions (how much?), > and even if that were done, it'd take a bit of work to switch everything > back to it ... if there was concensus The primary problem with using OpenSSL with OpenLDAP is NSS and PAM modules, which pull the libraries into just about any GPL'd (or other-licensed) package in the distribution in one way or another. The first step would be to reach consensus on removing from our archive the traditional LDAP NSS and PAM modules and replacing them with the ldapd versions, which talk to a system daemon over a protocol rather than pull all the libraries into the same executable. Once that's been done, the problem of getting license exceptions for all other GPL packages that link directly to OpenLDAP might be tractable. (Or it might not; I haven't done any of the necessary investigative work.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87fx3ubytu....@windlord.stanford.edu
