Cleaning up the openldap packaging

Andreas Hasenack andreas at
Mon May 18 19:32:39 UTC 2020


for this post-LTS cycle I wanted to cleanup our openldap packaging and
get more in line with Debian's. We have some very old delta that was
added circa 2009 due to likewise-open (as far as I could dig up), and
that we shouldn't carry anymore.

To that end, I started this [merge
but was quickly reminded by Ryan Tandy (Debian's openldap maintainer)
that in order to drop these two pieces of delta:

- gssapi patch (introduced via
- connection-less ldap (ldap over udp)

i would have to change the soname of the library, because dropping the
changes above means removing symbols from the library and thus
breaking backwards compatibility with anything that might be using

I believe back then when this was introduced, likewise-open didn't
support sasl gssapi, just plain gssapi. About "connection-less ldap",
as far as I can tell, that was last needed to do ldap suffix discovery
with windows 2000 servers.

Not being able to drop these is unfortunate, as at least the gssapi
patch is kind of wrong to be carried (sasl gssapi should be used
instead), but, as they say, we are between a rock and a hard place.

It looks like the best moment to drop those is when openldap 2.5 comes
out, as that will (likely) have a soname bump, and we can then remove
this delta and do a proper transition. But it's unclear when that
release will happen.

Another change I wanted to drop is the nss overlay. Debian doesn't
build it, I don't think we need another nss library/system, and
distributions seem to be standardizing on sssd. We don't even have any
other nss module in ubuntu main, just sssd: the rest is in universe.

If you are one of the users of this nss overlay in openldap, I would
lke to hear from you.

More information about the ubuntu-server mailing list