Re: Adding read-only consumers to a Mirror Mode Replication setup?

[Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca>]

Hi,

* Michael Ströder <michael@stroeder.com> [20181024 03:26]:
> On 10/23/18 8:44 PM, Jean-Francois Malouin wrote:
<snip>
> 
> > Finally, should I rather consider the LTB project for Debian OpenLDAP as been
> > mentioned in some other threads rather than using the Debian backports?  I'm a
> > bit reluctant to roll my own packaging from source.
> 
> The recommendation for LTB builds have two reasons:
> 
> 1. At some times Debian packages were far behind OpenLDAP's releases
> while LTB package updates are most times published a couple of days
> after an OpenLDAP release.
> 
> 2. Debian, and only Debian, links OpenLDAP with GNUTLS because they have
> some old licensing paranoia regarding OpenSSL. This caused trouble in
> the past. Forgot the details, not sure about the current state.
> 
> Bear in mind on Debian: The GNUTLS wrapper in OpenLDAP does not return
> TLS related error messages as diagnostic message to the client. So if
> cert validation fails at the client side the only message you see is
> "Server Down". People then look for connection problems and do not get
> the idea to look after cert config error. The OpenSSL wrapper returns a
> text message from the OpenSSL libs as diagnostic message.

The GnuTLS stuff I'm well aware of, and infuriated at it as I've been at the
receiving end of it a few times too many!  Just for that, if I had known at the
time, would have been reason enough to try the LTB builds!

> > Sorry for the very naive questions, I'm still fairly new to OpenLDAP!
> 
> Your questions are not naive. You're welcome asking here.
> 
> Ciao, Michael.

Again, thank you for your comments.

regards,
jf