[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap version (proxy cache)

To: Quanah Gibson-Mount <quanah@stanford.edu>, openldap-software@OpenLDAP.org
Subject: Re: Openldap version (proxy cache)
From: Owen DeLong <owen@delong.com>
Date: Mon, 28 Feb 2005 01:02:41 -0800
In-reply-to: <08C51F34270947D1585E9582@cadabra-dsl.stanford.edu>
References: <1109326168.421ef958170a5@km95.shuis.tudelft.nl> <2147483647.1109336282@imac-en0.delong.sj.ca.us> <08C51F34270947D1585E9582@cadabra-dsl.stanford.edu>

--On Friday, February 25, 2005 14:44 -0800 Quanah Gibson-Mount <quanah@stanford.edu> wrote:

--On Friday, February 25, 2005 12:58 PM -0800 Owen DeLong
<owen@delong.com> wrote:

I don't know about FC2, but, FC3 is currently at 2.2.13 and current
OpenLDAP release is 2.2.23.  As such, you're probably fine with FC3
openldap as shipped.  I suspect the FC3 RPMs would work on FC2, since
both use the same kernel and mostly the same libraries.

FWIW, the upgrade from RH9 and FC2 to FC3 has been near painless for me
on multiple systems (no reinstall, just in-place upgrade by booting FC3
disks and upgrading existing install).

Issues to watch out for:
	Apache goes from 1.* to 2.* -- some changes to suexec and modperl
	Changes to SASL

Everything else went pretty smoothly on the systems I've dealt with.


See, I'd argue very differently... OpenLDAP 2.2.13 is *very old*, and
many many bugs have been fixed since that release, some of which I'd
consider must-haves, like the memory leak fixes that went in around
2.2.17, and the DOS security attack fix that went into 2.2.23.  Unless
you were very careful with how you constructed your ACL's, I could crash
any OL server (2.1 or 2.2) prior to OpenLDAP 2.2.23 with a very simple
ldap search.

--Quanah

Guess it depends on your environment. In a university where you can depend on having an abundance of users with malicious intent and too much time on their hands, such exploits are common place. In a business, OTOH, where you have limited administrative resources and the LDAP server needs to be a functional unit, not a hobby/project, a precompiled working server is often very desirable, even with a few bugs as you describe. Sure, the latest greatest stable CVS release is desirable, but, compiling openLDAP from scratch is not for the timid. It has gotten better, but, between the large list of documented dependencies and the not-so-well-documented dependencies of those packages, it can take quite a bit of effort to get to the point where you can actually build OpenLDAP. Then, the myriad configure options required just to get an installable SLAPD can take a fair amount of time to digest.

In a lot of instances, it's well worth the time tradeoff to just accept
that although a bit behind, the Fedora team has taken care of building the
things most people need into a working slapd in a precompiled package with
a reasonable default slapd.conf.

Again, YMMV, but, it is very clear to me that a lot of the LDAP community
just sort of seems to assume that everyone has infinite time to invest in
dealing with LDAP.  This simply isn't the case in the real world.

Owen

Attachment: pgpfRfI4ODYpT.pgp
Description: PGP signature

Follow-Ups:
- Re: Openldap version (proxy cache)
  - From: Howard Chu <hyc@symas.com>

References:
- Openldap version (proxy cache)
  - From: Christiaan den Besten <chris@scorpion.nl>
- Re: Openldap version (proxy cache)
  - From: Owen DeLong <owen@delong.com>
- Re: Openldap version (proxy cache)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Can 2 LDAP server run on the same server.
Next by Date: Re: Openldap version (proxy cache)
Index(es):
- Chronological
- Thread