On Thu, Feb 19, 2026 at 04:43:25AM +0530, Pirate Praveen wrote: > New version of slapd switched SSL backend to OpenSSL from GNUtls as documented > in libldap2 NEWS file. > > But how to actually update the values in a way that will fix the issue is not > documented. > > * What outcome did you expect instead? > > The exact steps to have a successful upgrade should be documented. > > Here is the error in log, > > main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher match > > In bookworm the value that works is, > > olcTLSCipherSuite: NORMAL > > But it will not work in trixie. Removing this entry did not fix the issue. > > # cat delete-ciphers.ldif > dn: cn=config > changetype: modify > delete: olcTLSCipherSuite > olcTLSCipherSuite: NORMAL > > ldapmodify -Y EXTERNAL -H ldapi:/// -f ./delete-ciphers.ldif > > This just removes the error message, but slapd does not start after the > upgrade. > > 2026-02-18T11:14:57.877705-08:00 comms-staging slapd[15509]: @(#) $OpenLDAP: > slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $#012#011Debian OpenLDAP > Maintainers > <[email protected]> > 2026-02-18T11:14:57.937406-08:00 comms-staging slapd[15510]: slapd starting > 2026-02-18T11:14:57.938339-08:00 comms-staging slapd[15510]: daemon: shutdown > requested and initiated. > 2026-02-18T11:14:57.938506-08:00 comms-staging slapd[15510]: slapd shutdown: > waiting for 0 operations/tasks to finish > 2026-02-18T11:14:57.939951-08:00 comms-staging slapd[15510]: slapd stopped.
Good morning, like you said, can't see any errors here, however some library messages are not sent to syslog so you might get more details about the error from stderr. You should probably run slaptest with the appropriate debug flags enabled (`-d flag,flag,...`, should probably include at least `config`) to check that it's happy with the rest of the configuration and see whether anything else comes up. Other than that, yes, you can generally remove the attribute before upgrade and either leave it to whatever OpenSSL considers default or add whatever is appropriate for your environment after you've switched. Same with any other attributes you might come across this way. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
