[Pkg-openldap-devel] Status of openldap 2.3.19

Quanah Gibson-Mount quanah at stanford.edu
Sun Feb 19 20:31:22 UTC 2006 


--On Saturday, February 18, 2006 4:48 PM -0800 Steve Langasek 
<vorlon at debian.org> wrote:

> On Sat, Feb 18, 2006 at 11:00:28PM +0100, Matthijs Mohlmann wrote:
>> At this moment we have still openldap 2.1.30 in Debian. This is not
>> really a recommended situation and I (we) really want to move that also
>> to the current openldap stable release (2.3.19). The goal is to have an
>> up to date gnutls patch for the current openldap release before etch
>> releases


I think updating the current GnuTLS patch is the wrong direction to take, 
see below.


> On Sat, Feb 18, 2006 at 03:41:45PM -0800, Quanah Gibson-Mount wrote:
>
>> Also, Debian cannot move forward on its OpenLDAP release until OpenLDAP
>> supports GnuTLS.  I'm currently working on having Stanford fund part of
>> that work in conjunction with another institution that would like to see
>> the GnuTLS support in OpenLDAP as well.  This unfortunately involves
>> work  with GnuTLS as well as OpenLDAP, since GnuTLS lacks a bit of the
>> functionality necessary for the integration with OpenLDAP.  Of course,
>> any  other groups wishing to contribute to the cost of having the
>> support added  could only help...
>
> Is there a summary somewhere of the missing features in GNUTLS?  I'm not
> offering to pony up any money, but I can certainly see whether we can snag
> someone from the community to work on this if the specifics are available.
>
> Likewise, a summary of the problems with the existing GNUTLS patch may be
> of help.

So the goal here is not to just patch things so it manages to work, the 
goal here is to get the full functionality that OpenLDAP supports in 
OpenSSL working with GnuTLS, where that functionality becomes a part of the 
GnuTLS release, and the GnuTLS integration becomes part of the OpenLDAP 
release.  With this in mind, what we are looking at is having Simon 
Josefsson (GnuTLS author) do the GnuTLS work, and Howard Chu (primary 
OpenLDAP author) do the OpenLDAP work, with part of the contract being that 
the GnuTLS and OpenLDAP work are done with compatible licensing.

Specifically for GnuTLS:

GnuTLS does not verify certificate chains automaticaly.
GnuTLS does not not support session cache management.
GnuTLS has a function to return a DN in text form using LDAP format (RFC 
2253), however it sequences the RDN's in the wrong order.
The GnuTLS API for parsing DN's is suboptimal, and needs serious rewriting.

There are a number of other things on the OpenLDAP side that need to be 
done as well.  For example, without OpenSSL, Cyrus SASL has to be built 
with an alternate DES handler.  The best DES handler that fits the various 
licensing requirements needs to be determined.

On the OpenLDAP side, all the various call backs for TLS encryption and 
SASL/External need to be developed.


The problems with the current existing GnuTLS patch that I see are:

(a) It will take a bit of rework to allow it to work with OpenLDAP 2.3.
(b) Its license is too restrictive for inclusion in OpenLDAP
(c) It only appears to handle TLS encryption.  Other functionality (such as 
SASL/External) do not seem to be included.
(d) The patch uses pthread functions, meaning that libldap (the 
non-threaded LDAP library) gets incorrectly linked.  Torsten may have fixed 
this at a later point on the Debian side (See 
<http://www.openldap.org/its/index.cgi/Incoming?id=3290>)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

More information about the Pkg-openldap-devel mailing list