#512360 RFH: openldap -- OpenLDAP server, libraries, and utilities

#512360#5
Date:
2009-01-20 01:52:43 UTC
From:
To:
The OpenLDAP packaging for Debian could use additional resources.  No one
on the current OpenLDAP maintenance team has very much time to work on
the package, and we're having difficulty keeping up with both the bug
queue and with upstream releases and fixes.  Given that this is a fairly
critical package supplying both the LDAP libraries for many programs in
Debian and the LDAP server used by other Debian projects, this is not a
good situation.

We particularly need help with:

* Triaging Debian bugs, filing them upstream where needed, and helping
  test and incorporate upstream fixes.  Upstream is very active and
  responsive, but expects careful attention to the existing documentation
  and separation of OpenLDAP bugs from bugs in Debian's build,
  configuration, or any local modifications.

* Triage of TLS issues.  For licensing reasons, Debian builds OpenLDAP
  with GnuTLS instead of OpenSSL, which is unusual in the broader
  OpenLDAP community.  A lot of the open bugs are about TLS interoperability
  issues, which need to be analyzed and reported against either GnuTLS or
  upstream if they're problems with OpenLDAP's interface to GnuTLS.  GnuTLS
  upstream is very responsive and good about helping with this if the bug
  can be reproduced.

* Work on slapd configuration and maintenance.  Upstream is converting to
  cn=config (an LDIF configuration backend) and away from slapd.conf and
  the Debian packages should do likewise.  This will require extensive
  testing during the squeeze release cycle.

* Testing, particularly of the server.  Help from someone who runs the
  Debian slapd packages in production with a fairly large directory, or
  who can do so at least for testing, would be very welcome.

The upstream OpenLDAP team has had many bad experiences with distribution
packagers doing a poor job of supporting OpenLDAP packages and the
OpenLDAP project doesn't support old versions of OpenLDAP, so it's
important to carefully distinguish between Debian problems (including
those related to having an old version in stable) and upstream OpenLDAP
problems.  Having a thick skin and a willingness to work through conflicts
is very helpful.

OpenLDAP is maintained via an Alioth Subversion repository and mailing
list.  If you're willing to help, please join the mailing list via:

http://lists.alioth.debian.org/mailman/listinfo/pkg-openldap-devel

and let us know what you can work on.  Bug triage is a great place to
start.

#512360#10
Date:
2009-01-20 07:01:43 UTC
From:
To:
Russ Allbery wrote:

I'd like to help. I'm not sure I'll have much time though, but I guess
all helping hands are welcome?

I'm particulary interested in this one.

We use a newer version in production, but can probably run some test
instances.

Cheers

Luk

#512360#15
Date:
2009-01-20 18:18:36 UTC
From:
To:
Luk Claes <luk@debian.org> writes:

Absolutely.

That would be great.  I expect the hardest part will be the upgrade
process from earlier versions.

The versioning is always going to be hard since OpenLDAP releases so
quickly, but I wonder if we could make the Debian packages more generally
useful if we were active about backporting it.  (Still doesn't help during
release freeze, though.)

#512360#20
Date:
2009-05-26 16:43:48 UTC
From:
To:
Still looking for help?
Matt

#512360#25
Date:
2009-06-22 16:54:08 UTC
From:
To:
I have little experience packaging, but i'm an old debian user, also i
have need to get slapd 2.4.16 running, how can i help? I'm interested
in joining the package team.

#512360#30
Date:
2009-10-25 12:55:08 UTC
From:
To:
Hello,

i'am an heavy user of ldap everyday, so i'am interested in joining the
team

Cheers

#512360#35
Date:
2009-11-26 10:00:28 UTC
From:
To:
Hello,

I'd like to offer my help as well.

The company I'm working for relies on OpenLDAP as a core component of its
Debian based Linux distribution for enterprise level customers. So I probably
can contribute some amount of work on configuration updates, maintainance and
testing, and possibly route some bugs or help resolving TLS issues that pop
up along the way.

#512360#40
Date:
2010-07-15 21:08:50 UTC
From:
To:
Hello all,

Anyone still interested in comaintaining OpenLDAP, please drop me a note.

Regards,

Matthijs Mohlmann

#512360#45
Date:
2011-09-12 10:37:25 UTC
From:
To:
Hello,
I'd like to help an join the team!
I'm interested in:

* Work on slapd configuration and maintenance. Upstream is converting to
cn=config (an LDIF configuration backend) and away from slapd.conf and
the Debian packages should do likewise. This will require extensive
testing during the squeeze release cycle.

* Testing, particularly of the server. Help from someone who runs the
Debian slapd packages in production with a fairly large directory, or
who can do so at least for testing, would be very welcome.

The company I'm working use OpenLdap since Ectch!

#512360#50
Date:
2011-09-12 11:07:31 UTC
From:
To:
Hello,
I'd like to help an join the team!
I'm interested in:

* Work on slapd configuration and maintenance. Upstream is converting to
cn=config (an LDIF configuration backend) and away from slapd.conf and
the Debian packages should do likewise. This will require extensive
testing during the squeeze release cycle.

* Testing, particularly of the server. Help from someone who runs the
Debian slapd packages in production with a fairly large directory, or
who can do so at least for testing, would be very welcome.

The company I'm working use OpenLdap since Etch!

#512360#55
Date:
2012-03-10 04:56:59 UTC
From:
To:
regards,

I have experience with OpenLDAP from Debian Etch, and managing daily work
now OpenLDAP on Debian Squeeze.

I have experience with Net::LDAP, in fact I have a Perl module that I
developed for use in my company, which makes a lot of LDAP operations.

I'm not a Debian Developer.

Tell me that I can help?

#512360#60
Date:
2013-09-24 18:56:30 UTC
From:
To:
Hi,

I'd like to volunteer to help with OpenLDAP in Debian.

As part of my day job I run OpenLDAP on 16 (give or take) Ubuntu
servers and follow openldap-technical. We currently run customized
OpenLDAP packages based on the Ubuntu packaging. I have the freedom to
test packages in staging and production.

I maintain one small package in Debian, and several private ones for
my employer. I'm not a DD or DM.

I would really like to see the OpenLDAP packages in Debian and Ubuntu
brought up to date and improved.

How could I make myself useful to this team? What would be an
effective way to spend some effort?

Thanks
Ryan

#512360#65
Date:
2020-12-05 20:36:00 UTC
From:
To:
I'm still looking for help with the OpenLDAP packages. I'm not an
OpenLDAP user any more, and I would like to eventually hand off the
package to a new maintainer.

The current 2.4 package is in OK shape. It's up-to-date in unstable and
backports, and I'm able to handle the low volume of security updates and
bug reports. I'm also responding to Debian-specific issues on the
upstream support channels (lists/bugs/IRC). The status quo will probably
be fine for bullseye; however, I'm not making much progress on
developing or improving the package.

Here are some of the major projects that I would appreciate help with:

* Updating to OpenLDAP 2.5.

  The first 2.5 alpha has been released already. I hope the final
  release will happen in time that we can transition to it for bookworm.
  This will include a SONAME transition, which should be mostly painless
  as the library API has not changed much.

  The bulk of the work will be to support slapd upgrades. The biggest
  change is that the Berkeley DB backends (BDB and HDB) have been
  removed. These were the default for Debian installations for a long
  time and I know not all users have migrated to LMDB yet. We should
  provide an automated migration from BDB/HDB to LMDB, as was done for
  LDBM previously. There are also some old bugs in the maintainer
  scripts for upgrading databases, which still need to be addressed.

  Upstream still supports both slapd.conf and cn=config configuration
  (though slapd.conf is considered deprecated), so any upgrade path has
  to support both.

* Overhauling the debian/copyright file.

  The copyright file is old and not in DEP5 format yet. We basically
  need to do a full copyright review of the upstream source in order to
  write a complete and correct DEP5 copyright file, and then commit to
  maintaining it going forward.

  I don't know at all what the license of debian/* is supposed to be. We
  might have to do some legwork of contacting previous maintainers and
  trying to obtain copyright statements from them.

* Replacing the slapd init script with a systemd service.

  This is a smaller project, but still not as trivial as it sounds. The
  init script supports a number of configuration variables, and it also
  picks up some information dynamically from the slapd configuration.
  This probably requires extracting some of the init script code to a
  wrapper script for executing slapd with appropriate arguments.

  Supporting both slapd.conf and cn=config adds complexity here as well.

* Working with upstream on GnuTLS support.

  Upstream still supports GnuTLS, but reluctantly. They expect the
  Debian maintainer to be actively involved with triaging and fixing
  GnuTLS issues upstream.

  The autoca overlay is new in 2.5 and only supports OpenSSL right now.
  Upstream are not likely to work on GnuTLS support; if we want to
  include it in Debian, we probably have to add GnuTLS support
  ourselves.

* Evaluating a possible switch back to OpenSSL.

  Upstream would prefer to drop the GnuTLS support, and have asked me to
  investigate what issues on the Debian side are blocking it.

  I don't fully understand Debian's current position on OpenSSL
  licensing and hope ftp-master will provide a more detailed statement
  soon. This might require auditing the reverse-depends of libldap in
  Debian and checking whether there is still GPL- or GPL2-only code
  linking with libldap; I'm not sure.

  In any case, a switch to OpenSSL is likely to be a disruptive event
  for all users (for example, the TLS cipher suite configuration is
  completely incompatible) and must be approached with caution.

  If there are no blockers on the Debian side, dropping GnuTLS support
  upstream could happen as soon as OpenLDAP 2.6.

* Working with Ubuntu to reduce their delta.

  The Ubuntu maintainers would like to reduce the delta in their
  package. There are some changes that can be dropped during the
  transition to 2.5 (such as the legacy GSSAPI support). There are also
  some pieces that could be adopted in Debian (such as the apparmor and
  ufw profiles), if we can determine the license and copyright for them.


I'm happy to provide mentoring or reviews, and to sponsor uploads, for
anyone who would like to work on the package. If you have an interest in
the future of OpenLDAP in Debian, please get in touch!

#512360#74
Date:
2021-08-24 08:35:43 UTC
From:
To:
Hi Ryan,

I would like to be part of the maintainers team(OpenLDAP). I haven't
contributed to debian before, I have worked in Linux based servers for more
than 11 years. If the prior experience in contribution is not mandatory,
please let me know how to proceed.

thanks,
Karthik