Hi, * Michael Ströder <[email protected]> [20181024 03:26]: > On 10/23/18 8:44 PM, Jean-Francois Malouin wrote: <snip> > > > Finally, should I rather consider the LTB project for Debian OpenLDAP as > > been > > mentioned in some other threads rather than using the Debian backports? > > I'm a > > bit reluctant to roll my own packaging from source. > > The recommendation for LTB builds have two reasons: > > 1. At some times Debian packages were far behind OpenLDAP's releases > while LTB package updates are most times published a couple of days > after an OpenLDAP release. > > 2. Debian, and only Debian, links OpenLDAP with GNUTLS because they have > some old licensing paranoia regarding OpenSSL. This caused trouble in > the past. Forgot the details, not sure about the current state. > > Bear in mind on Debian: The GNUTLS wrapper in OpenLDAP does not return > TLS related error messages as diagnostic message to the client. So if > cert validation fails at the client side the only message you see is > "Server Down". People then look for connection problems and do not get > the idea to look after cert config error. The OpenSSL wrapper returns a > text message from the OpenSSL libs as diagnostic message.
The GnuTLS stuff I'm well aware of, and infuriated at it as I've been at the receiving end of it a few times too many! Just for that, if I had known at the time, would have been reason enough to try the LTB builds! > > Sorry for the very naive questions, I'm still fairly new to OpenLDAP! > > Your questions are not naive. You're welcome asking here. > > Ciao, Michael. Again, thank you for your comments. regards, jf
