Removing nss overlay ("nssov") from openldap, pre/postinst considerations

Andreas Hasenack andreas at
Thu May 21 20:25:46 UTC 2020


I would like to stop building the nss overlay in openldap[1][2], and
proposed a change[3] for that.

One of the comments I got from the Debian Maintainer is that this
would break an upgrade for whoever was using that module, as slapd
(the daemon) would refuse to start if the module is suddenly gone,
while its config is still there.

That is an ugly situation, as removing modules from the openldap
configuration using the cn=config backend (our and debian's default
for ages) is not trivial. I outlined some options and their outcome in
[4]. But that's not what I wanted to ask here (although comments are
very welcome!).

Is there any pattern, or precedence, in Ubuntu or Debian, of where a
package upgrade removes a piece of the software and it cannot be
easily handled in the maintainer scripts? One of the options outlined
in [4] is an exit 1 in preinst. That would leave the previous package
installed, the daemon running, and the original functionality there,
but the admin then has to take action as the upgrade was done half-way
(libraries were updated, but the daemon package remains at the
previous version).


More information about the ubuntu-devel mailing list