Actual Ubuntu Slapd totaly useless for "serious" use

Bug #1316124 reported by Emmanuel Fusté on 2014-05-05
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)

Bug Description

Please, as Debian recently (and finally ) do, ugrade/backport 2.4.39 to Ubuntu.
2.4.31 is two year old and full of know bugs critical in multi-server replication config.
Even if 2.4.39 is not perfect, it is way more "polished" and usable than 2.4.31.
We could not wait two more years the next LTS release to catch up. And I would like to avoid "./configure;make;make install".
It would benefit upstream too as
- actual Ubuntu users reports are useless for the developers because know old fixed bugs or from an outdated codebase
- actual up to date codebase is not currently tested/used by Ubuntu users, not helping to move forward.

Thank you for your attention.

Peter Matulis (petermatulis) wrote :

Please add Debian backport bug

Peter Matulis (petermatulis) wrote :

Once Utopic syncs with the new Debian version I think the best option is to make a request via the Ubuntu Backports Project (-backports).

Changed in openldap (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed

Le 05/05/2014 16:06, Peter Matulis a écrit :
> Please add Debian backport bug
Sorry, I misspoke. There is no backport in Debian now.
Debian finally switch to 2.4.39 in Sid and Jessie after a maintainer change.
A backport for Ubuntu 14.04 LTS is highly desirable as for Debian stable.

Should I open a Debian bug or request a Debian backport to the Debian
maintainer first ?
I search informations about Debian backports requests, but it seems that
there is no other "official" way than doing the backport myself.


Ryan Tandy (rtandy) wrote :

There's an open request (for a long time) for a backport in Debian:

A backport should address the question of DB format upgrades when going from release to release. The technique currently used, checking the version of the package being upgraded, will fail if a newer package is backported to an older release (with an older DB library) and then upgraded (because it will already be newer than what the version check looks for). I don't have a good idea for addressing that. (Backporting from Utopic to Trusty is probably safe, as long as they have the same libdb version.)

Backporting openldap in Ubuntu is time-consuming because the procedure calls for every single reverse dependency to be verified. See for example the list in a previous attempt:

The LTB project provides deb packages of the most recent sources, built according to upstream's recommendations. If you're currently just building and installing unmodified upstream sources, those might save you some time.

Launchpad Janitor (janitor) wrote :
Download full text (10.3 KiB)

This bug was fixed in the package openldap - 2.4.40+dfsg-1ubuntu1

openldap (2.4.40+dfsg-1ubuntu1) wily; urgency=low

  * Merge from Debian testing (LP: #1395098, LP: #1316124). Remaining changes:
    - Enable AppArmor support:
      - d/apparmor-profile: add AppArmor profile
      - d/rules: use dh_apparmor
      - d/control: Build-Depends on dh-apparmor
      - d/slapd.README.Debian: add note about AppArmor
    - Enable GSSAPI support:
      - d/patches/gssapi.diff, thanks to Jerry Carter (Likewise):
        - Add --with-gssapi support
        - Make guess_service_principal() more robust when determining
      - d/configure.options: Configure with --with-gssapi
      - d/control: Added heimdal-dev as a build depend
    - Enable ufw support:
      - d/control: suggest ufw.
      - d/rules: install ufw profile.
      - d/slapd.ufw.profile: add ufw profile.
    - Enable nss overlay:
      - d/{patches/nssov-build,rules}: Apply, build and package the
        nss overlay.
    - d/{rules,}: Add apport hook.
    - d/slapd.init.ldif: don't set olcRootDN since it's not defined in
      either the default DIT nor via an Authn mapping.
    - d/slapd.scripts-common:
      - add slapcat_opts to local variables.
      - Remove unused variable new_conf.
      - Fix backup directory naming for multiple reconfiguration.
    - d/{slapd.default,slapd.README.Debian}: use the new configuration style.
    - d/rules: Enable -DLDAP_CONNECTIONLESS to build CLDAP (UDP) support
      in the openldap library, as required by Likewise-Open
    - Show distribution in version:
      - d/control: added lsb-release
      - d/patches/fix-ldap-distribution.patch: show distribution in version
  * Drop patches included upstream:
    - d/patches/0001-ITS-7430-GnuTLS-Avoid-use-of-deprecated-function.patch
    - d/patches/bdb-deadlock.patch
    - d/patches/its-7354-fix-delta-sync-mmr.diff
  * Drop hardening-wrapper as Debian now sets PIE and bindnow flags.
  * debian/patches/nssov-build: Adjust for upstream changes.
  * debian/apparmor-profile:
    - Change 'r' to 'rw' for ldapi and nslcd sockets, required for apparmor
      kernel ABI v7 (utopic and later). (LP: #1392018)
    - Reduce permissions on /run/nslcd to just the nslcd socket.
  * Enable the mdb backend again on ppc64el, fixed upstream in ITS#7713.
    (LP: #1293250)

openldap (2.4.40+dfsg-1) unstable; urgency=medium

  * Remove inetorgperson.schema from the upstream source. Replace it with a
    copy stripped of RFC text. (Closes: #780283)
  * Adjust debian/watch for +dfsg versioning.
  * debian/patches/ITS7975-fix-mdb-onelevel-search.patch: Import upstream
    patch to fix scope=onelevel searches wrongly including the search base in
    results under the MDB backend. (ITS#7975) (Closes: #782212)

openldap (2.4.40-4) unstable; urgency=medium

  * debian/patches/ITS8027-deref-reject-empty-attr-list.patch: Import upstream
    patch to fix a crash when a search includes the Deref control with an
    empty attribute list. (ITS#8027) (CVE-2015-1545, Closes: #776988)
  * debian/patches/ITS8046-fix-vrFilter_free-crash.patch: Import upstream
    patch to fix a double free triggered by...

Changed in openldap (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.