Bug 1187742

Summary: rebuild openldap with support for moznss
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: rawhideCC: awilliam, jsynacek, jv+fedora, lslebodn, nkinder, phracek, rmeggins, robatino, sgallagh, ssorce, vashirov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-20 13:08:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1043125    

Description Rich Megginson 2015-01-30 18:56:10 UTC 
Description of problem:

openldap was recently built against openssl in rawhide.  This breaks a number of applications such as 389, freeipa, dogtag, etc.

Version-Release number of selected component (if applicable):
rawhide

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:

openldap is built with moznss

Additional info:
Comment 1 Fedora Blocker Bugs Application 2015-01-30 19:02:37 UTC 
Proposed as a Blocker for 22-beta by Fedora user sgallagh using the blocker tracking app because:

 This issue subtly (and sometimes non-subtly) breaks many features of the Domain Controller Role for Fedora Server.
Comment 2 Adam Williamson 2015-02-02 17:51:12 UTC 
Discussed at 2015-02-02 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2015-02-02/f22-blocker-review.2015-02-02-17.06.log.txt . Accepted as a Beta blocker - we trust sgallagh's assessment that it violates the given criterion. However, sgallagh, could we ask for a few more details on exactly what it breaks, so we can double check and do follow-up testing? Thanks.
Comment 3 Rich Megginson 2015-02-02 17:56:58 UTC 
Specifically - it is going to break any outgoing LDAP TLS/SSL connection from any 389 related package.  So things like replication/chaining/pass-through-auth/windows sync from 389; most 389-admin/389-adminutil operations, including operations invoked via CGI from the 389-console packages; and 389-dsgw.  IPA will be affected because of replication and windows sync.
Comment 4 Nathan Kinder 2015-02-17 15:42:01 UTC 
Is this going to be addressed for the upcoming F22 Alpha?  The non-backwards compatible change  to use openssl is going to break a number of features as mentioned in comment#1, and it should be reverted as soon as possible.