On 2/20/26 11:38 PM, Ryan Tandy wrote:
Hi Praveen, On Fri, Feb 20, 2026 at 07:59:28PM +0530, Pirate Praveen wrote:I think we still need to document how to actually do the migration if someone has set a value for olcTLSCipherSuites.My draft for this document (I think this should be included in trixie in a stable update and referenced in release notes:The text I originally submitted for the release notes specifically called out the cipher suite option, however the editors removed it since it duplicated the same info from debian/NEWS.https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/ debian/NEWSslapd's README.Debian has a section (at the bottom) about the 2.6 upgrade, and steps for recovering after the upgrade, when the service won't start:https://salsa.debian.org/openldap-team/openldap/-/raw/2.6.10+dfsg-1/ debian/slapd.README.Debian
libldap2 package's NEWS has "For more information about the slapd(8) configuration, see /usr/share/doc/slapd/README.Debian.gz."This did not give a hint that upgrade issues would also be covered there. May be make an explicit reference to this file.
"For more information about the slapd(8) configuration and GNUtls to OpenSSL backend migration issues, see
/usr/share/doc/slapd/README.Debian.gz."
You're right that I could have done better by providing steps to avoid breaking the service in the first place.
I think we can still do it as many people would still benefit from a clearer documentation.
This was probably a local change. Not sure if earlier versions correctly handled creating the run directories using systemd services.You might want to remove/etc/systemd/system/slapd.service.d/override.conf as runtime directories are now handled correctly in the systemd service file.I don't know what this file is. The slapd package has never installed or created it. Something local on your end?
OpenPGP_0x8F53E0193B294B75.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
