Package: slapd
Version: 2.6.10+dfsg-1
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
* What led up to the situation?
Upgrading (apt dist-upgrade) to trixie from bookworm
* What exactly did you do (or not do) that was effective (or
ineffective)?
New version of slapd switched SSL backend to OpenSSL from GNUtls as documented
in libldap2 NEWS file.
* What was the outcome of this action?
But how to actually update the values in a way that will fix the issue is not
documented.
* What outcome did you expect instead?
The exact steps to have a successful upgrade should be documented.
Here is the error in log,
main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match
In bookworm the value that works is,
olcTLSCipherSuite: NORMAL
But it will not work in trixie. Removing this entry did not fix the issue.
# cat delete-ciphers.ldif
dn: cn=config
changetype: modify
delete: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif
This just removes the error message, but slapd does not start after the
upgrade.
2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP:
slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers
<[email protected]>
2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting
2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown
requested and initiated.
2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown:
waiting for 0 operations/tasks to finish
2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped.
publicai.co suggested some values like but none of the suggested values works
with gnutls
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
# cat OpenSSL.ldif
dn: cn=config
changetype: modify
delete: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCipherSuite
olcTLSCipherSuite: DHE-RSA-AES256-GCM-SHA384
# ldapmodify -Y EXTERNAL -H ldapi:/// -f ./OpenSSL.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.16.8+deb14-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages slapd depends on:
ii adduser 3.153
ii debconf [debconf-2.0] 1.5.91
ii init-system-helpers 1.69
ii libargon2-1 0~20190702+dfsg-5
ii libc6 2.42-11
ii libcrypt1 1:4.4.38-1
ii libldap2 2.6.10+dfsg-1
ii libltdl7 2.5.4-5
pn libodbc2 <none>
ii libperl5.40 5.40.1-6
ii libsasl2-2 2.1.28+dfsg1-9
ii libwrap0 7.6.q-36
ii psmisc 23.7-2
Versions of packages slapd recommends:
pn ldap-utils <none>
Versions of packages slapd suggests:
ii libsasl2-modules 2.1.28+dfsg1-9
pn libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimd <none>
al
