On 2/20/26 7:59 PM, Pirate Praveen wrote:
If you don't remove any incompatible options, you will see this error in slapd logs after the upgrade and slapd service will fail to start.main: TLS init def ctx failed: -1 error:0A0000B9:SSL routines::no cipher matchYou can run this command to see if any value is set, ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -s base|grep olcTLSCipherSuite
I think we should also check for this variable and abort upgrade as there is no way to recover it after it is upgraded (except may be modifying the db directly) as slapd won't start.
If this is detected, we should show a warning and give the migration steps documentation reference and ask for explicit confirmation before proceeding with upgrade.
I just tried with olcSecurity: tls=0 before upgrade, but I'm not able to start it with just "ldap:/// and ldapi:///" options. Is there another way to disable TLS completely to repair an broken upgrade?
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
