[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap version (proxy cache)

--On Friday, February 25, 2005 14:44 -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:

--On Friday, February 25, 2005 12:58 PM -0800 Owen DeLong
<owen@delong.com> wrote:

I don't know about FC2, but, FC3 is currently at 2.2.13 and current
OpenLDAP release is 2.2.23.  As such, you're probably fine with FC3
openldap as shipped.  I suspect the FC3 RPMs would work on FC2, since
both use the same kernel and mostly the same libraries.

FWIW, the upgrade from RH9 and FC2 to FC3 has been near painless for me
on multiple systems (no reinstall, just in-place upgrade by booting FC3
disks and upgrading existing install).

Issues to watch out for:
	Apache goes from 1.* to 2.* -- some changes to suexec and modperl
	Changes to SASL

Everything else went pretty smoothly on the systems I've dealt with.

See, I'd argue very differently... OpenLDAP 2.2.13 is *very old*, and many many bugs have been fixed since that release, some of which I'd consider must-haves, like the memory leak fixes that went in around 2.2.17, and the DOS security attack fix that went into 2.2.23. Unless you were very careful with how you constructed your ACL's, I could crash any OL server (2.1 or 2.2) prior to OpenLDAP 2.2.23 with a very simple ldap search.


Guess it depends on your environment. In a university where you can depend
on having an abundance of users with malicious intent and too much time on
their hands, such exploits are common place. In a business, OTOH, where you
have limited administrative resources and the LDAP server needs to be
a functional unit, not a hobby/project, a precompiled working server is
often very desirable, even with a few bugs as you describe. Sure, the latest
greatest stable CVS release is desirable, but, compiling openLDAP from scratch
is not for the timid. It has gotten better, but, between the large list
of documented dependencies and the not-so-well-documented dependencies
of those packages, it can take quite a bit of effort to get to the point
where you can actually build OpenLDAP. Then, the myriad configure options
required just to get an installable SLAPD can take a fair amount of time
to digest.

In a lot of instances, it's well worth the time tradeoff to just accept
that although a bit behind, the Fedora team has taken care of building the
things most people need into a working slapd in a precompiled package with
a reasonable default slapd.conf.

Again, YMMV, but, it is very clear to me that a lot of the LDAP community
just sort of seems to assume that everyone has infinite time to invest in
dealing with LDAP.  This simply isn't the case in the real world.


Attachment: pgpfRfI4ODYpT.pgp
Description: PGP signature