On 2/19/26 3:30 PM, Ondřej Kuzník wrote:
On Thu, Feb 19, 2026 at 04:43:25AM +0530, Pirate Praveen wrote:New version of slapd switched SSL backend to OpenSSL from GNUtls as documented in libldap2 NEWS file. But how to actually update the values in a way that will fix the issue is not documented. * What outcome did you expect instead? The exact steps to have a successful upgrade should be documented. Here is the error in log, main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match In bookworm the value that works is, olcTLSCipherSuite: NORMAL But it will not work in trixie. Removing this entry did not fix the issue. # cat delete-ciphers.ldif dn: cn=config changetype: modify delete: olcTLSCipherSuite olcTLSCipherSuite: NORMAL ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif This just removes the error message, but slapd does not start after the upgrade. 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP Maintainers <[email protected]> 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown requested and initiated. 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown: waiting for 0 operations/tasks to finish 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped.Good morning, like you said, can't see any errors here, however some library messages are not sent to syslog so you might get more details about the error from stderr. You should probably run slaptest with the appropriate debug flags enabled (`-d flag,flag,...`, should probably include at least `config`) to check that it's happy with the rest of the configuration and see whether anything else comes up.
Nothing turned up with slaptest -d config # slaptest -d config loaded module back_mdb module back_mdb: null module registered index objectClass 0x0004 index cn 0x0004 index uid 0x0004 index uidNumber 0x0004 index gidNumber 0x0004 index member 0x0004 index memberUid 0x0004 index email 0x0004 index mail 0x0004 mdb_monitor_db_open: monitoring disabled; configure monitor datab ase to enable config file testing succeeded
Other than that, yes, you can generally remove the attribute before upgrade and either leave it to whatever OpenSSL considers default or add whatever is appropriate for your environment after you've switched. Same with any other attributes you might come across this way.
With slaptest not giving any errors, I wonder which other attribute is problematic.
These are the other options we set, dn: cn=config changetype: modify add: olcTLSCipherSuite olcTLSCipherSuite: NORMAL - add: olcTLSCRLCheck olcTLSCRLCheck: none - add: olcTLSVerifyClient olcTLSVerifyClient: never - add: olcTLSProtocolMin olcTLSProtocolMin: 3.3I will try deleting these one by one as well (deleting olcTLSCipherSuite was tried already).
Regards,
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
