The OpenLDAP packaging for Debian could use additional resources. No one on the current OpenLDAP maintenance team has very much time to work on the package, and we're having difficulty keeping up with both the bug queue and with upstream releases and fixes. Given that this is a fairly critical package supplying both the LDAP libraries for many programs in Debian and the LDAP server used by other Debian projects, this is not a good situation. We particularly need help with: * Triaging Debian bugs, filing them upstream where needed, and helping test and incorporate upstream fixes. Upstream is very active and responsive, but expects careful attention to the existing documentation and separation of OpenLDAP bugs from bugs in Debian's build, configuration, or any local modifications. * Triage of TLS issues. For licensing reasons, Debian builds OpenLDAP with GnuTLS instead of OpenSSL, which is unusual in the broader OpenLDAP community. A lot of the open bugs are about TLS interoperability issues, which need to be analyzed and reported against either GnuTLS or upstream if they're problems with OpenLDAP's interface to GnuTLS. GnuTLS upstream is very responsive and good about helping with this if the bug can be reproduced. * Work on slapd configuration and maintenance. Upstream is converting to cn=config (an LDIF configuration backend) and away from slapd.conf and the Debian packages should do likewise. This will require extensive testing during the squeeze release cycle. * Testing, particularly of the server. Help from someone who runs the Debian slapd packages in production with a fairly large directory, or who can do so at least for testing, would be very welcome. The upstream OpenLDAP team has had many bad experiences with distribution packagers doing a poor job of supporting OpenLDAP packages and the OpenLDAP project doesn't support old versions of OpenLDAP, so it's important to carefully distinguish between Debian problems (including those related to having an old version in stable) and upstream OpenLDAP problems. Having a thick skin and a willingness to work through conflicts is very helpful. OpenLDAP is maintained via an Alioth Subversion repository and mailing list. If you're willing to help, please join the mailing list via: http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel and let us know what you can work on. Bug triage is a great place to start.
Russ Allbery wrote: I'd like to help. I'm not sure I'll have much time though, but I guess all helping hands are welcome? I'm particulary interested in this one. We use a newer version in production, but can probably run some test instances. Cheers Luk
Luk Claes <luk@debian.org> writes: Absolutely. That would be great. I expect the hardest part will be the upgrade process from earlier versions. The versioning is always going to be hard since OpenLDAP releases so quickly, but I wonder if we could make the Debian packages more generally useful if we were active about backporting it. (Still doesn't help during release freeze, though.)
Still looking for help? Matt
I have little experience packaging, but i'm an old debian user, also i have need to get slapd 2.4.16 running, how can i help? I'm interested in joining the package team.
Hello, i'am an heavy user of ldap everyday, so i'am interested in joining the team Cheers
Hello, I'd like to offer my help as well. The company I'm working for relies on OpenLDAP as a core component of its Debian based Linux distribution for enterprise level customers. So I probably can contribute some amount of work on configuration updates, maintainance and testing, and possibly route some bugs or help resolving TLS issues that pop up along the way.
Hello all, Anyone still interested in comaintaining OpenLDAP, please drop me a note. Regards, Matthijs Mohlmann
Hello, I'd like to help an join the team! I'm interested in: * Work on slapd configuration and maintenance. Upstream is converting to cn=config (an LDIF configuration backend) and away from slapd.conf and the Debian packages should do likewise. This will require extensive testing during the squeeze release cycle. * Testing, particularly of the server. Help from someone who runs the Debian slapd packages in production with a fairly large directory, or who can do so at least for testing, would be very welcome. The company I'm working use OpenLdap since Ectch!
Hello, I'd like to help an join the team! I'm interested in: * Work on slapd configuration and maintenance. Upstream is converting to cn=config (an LDIF configuration backend) and away from slapd.conf and the Debian packages should do likewise. This will require extensive testing during the squeeze release cycle. * Testing, particularly of the server. Help from someone who runs the Debian slapd packages in production with a fairly large directory, or who can do so at least for testing, would be very welcome. The company I'm working use OpenLdap since Etch!
regards, I have experience with OpenLDAP from Debian Etch, and managing daily work now OpenLDAP on Debian Squeeze. I have experience with Net::LDAP, in fact I have a Perl module that I developed for use in my company, which makes a lot of LDAP operations. I'm not a Debian Developer. Tell me that I can help?
Hi, I'd like to volunteer to help with OpenLDAP in Debian. As part of my day job I run OpenLDAP on 16 (give or take) Ubuntu servers and follow openldap-technical. We currently run customized OpenLDAP packages based on the Ubuntu packaging. I have the freedom to test packages in staging and production. I maintain one small package in Debian, and several private ones for my employer. I'm not a DD or DM. I would really like to see the OpenLDAP packages in Debian and Ubuntu brought up to date and improved. How could I make myself useful to this team? What would be an effective way to spend some effort? Thanks Ryan
I'm still looking for help with the OpenLDAP packages. I'm not an OpenLDAP user any more, and I would like to eventually hand off the package to a new maintainer. The current 2.4 package is in OK shape. It's up-to-date in unstable and backports, and I'm able to handle the low volume of security updates and bug reports. I'm also responding to Debian-specific issues on the upstream support channels (lists/bugs/IRC). The status quo will probably be fine for bullseye; however, I'm not making much progress on developing or improving the package. Here are some of the major projects that I would appreciate help with: * Updating to OpenLDAP 2.5. The first 2.5 alpha has been released already. I hope the final release will happen in time that we can transition to it for bookworm. This will include a SONAME transition, which should be mostly painless as the library API has not changed much. The bulk of the work will be to support slapd upgrades. The biggest change is that the Berkeley DB backends (BDB and HDB) have been removed. These were the default for Debian installations for a long time and I know not all users have migrated to LMDB yet. We should provide an automated migration from BDB/HDB to LMDB, as was done for LDBM previously. There are also some old bugs in the maintainer scripts for upgrading databases, which still need to be addressed. Upstream still supports both slapd.conf and cn=config configuration (though slapd.conf is considered deprecated), so any upgrade path has to support both. * Overhauling the debian/copyright file. The copyright file is old and not in DEP5 format yet. We basically need to do a full copyright review of the upstream source in order to write a complete and correct DEP5 copyright file, and then commit to maintaining it going forward. I don't know at all what the license of debian/* is supposed to be. We might have to do some legwork of contacting previous maintainers and trying to obtain copyright statements from them. * Replacing the slapd init script with a systemd service. This is a smaller project, but still not as trivial as it sounds. The init script supports a number of configuration variables, and it also picks up some information dynamically from the slapd configuration. This probably requires extracting some of the init script code to a wrapper script for executing slapd with appropriate arguments. Supporting both slapd.conf and cn=config adds complexity here as well. * Working with upstream on GnuTLS support. Upstream still supports GnuTLS, but reluctantly. They expect the Debian maintainer to be actively involved with triaging and fixing GnuTLS issues upstream. The autoca overlay is new in 2.5 and only supports OpenSSL right now. Upstream are not likely to work on GnuTLS support; if we want to include it in Debian, we probably have to add GnuTLS support ourselves. * Evaluating a possible switch back to OpenSSL. Upstream would prefer to drop the GnuTLS support, and have asked me to investigate what issues on the Debian side are blocking it. I don't fully understand Debian's current position on OpenSSL licensing and hope ftp-master will provide a more detailed statement soon. This might require auditing the reverse-depends of libldap in Debian and checking whether there is still GPL- or GPL2-only code linking with libldap; I'm not sure. In any case, a switch to OpenSSL is likely to be a disruptive event for all users (for example, the TLS cipher suite configuration is completely incompatible) and must be approached with caution. If there are no blockers on the Debian side, dropping GnuTLS support upstream could happen as soon as OpenLDAP 2.6. * Working with Ubuntu to reduce their delta. The Ubuntu maintainers would like to reduce the delta in their package. There are some changes that can be dropped during the transition to 2.5 (such as the legacy GSSAPI support). There are also some pieces that could be adopted in Debian (such as the apparmor and ufw profiles), if we can determine the license and copyright for them. I'm happy to provide mentoring or reviews, and to sponsor uploads, for anyone who would like to work on the package. If you have an interest in the future of OpenLDAP in Debian, please get in touch!
Hi Ryan, I would like to be part of the maintainers team(OpenLDAP). I haven't contributed to debian before, I have worked in Linux based servers for more than 11 years. If the prior experience in contribution is not mandatory, please let me know how to proceed. thanks, Karthik