Bug 1956957

Summary: Add EPEL8 branch for openldap
Product: [Fedora] Fedora Reporter: Trey Dockendorf <treydock>
Component: openldapAssignee: Simon Pichugin <spichugi>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: lance, rmeggins, spichugi, vashirov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-06 15:09:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Trey Dockendorf 2021-05-04 18:20:22 UTC
Description of problem:

I'd like to request a EPEL8 branch of the openldap RPMs. Because RHEL includes openldap and openldap-clients RPMs, the EPEL8 version would have to exclude those packages.  If it's easier I would be happy to become the EPEL8 maintainer of openldap.

Comment 1 Viktor Ashirov 2021-05-04 22:02:01 UTC
> Because RHEL includes openldap and openldap-clients RPMs, the EPEL8 version would have to exclude those packages.

openldap package is part of RHEL BaseOS. EPEL guidelines say that EPEL packages must never conflict with packages in RHEL [1][2]. To avoid the conflict a different prefix might be used, but Fedora Packaging Guidelines [3] (packages in EPEL also subject to them) do not allow /usr/local and limit /opt usage.
In other words, it's highly unlikely that there will be an EPEL version of openldap.

If you need openldap-servers package in RHEL8+, I suggest to use the official rpms from Symas or use rpms from LDAP Tool Box project [4]. Both of them are installed in a different prefix and do not conflict with system libraries.

[1] https://fedoraproject.org/wiki/EPEL/GuidelinesAndPolicies#Policy_for_Conflicting_Packages 
[2] https://fedoraproject.org/wiki/EPEL/FAQ#Does_EPEL_replace_packages_provided_within_Red_Hat_Enterprise_Linux_or_layered_products.3F
[3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_no_files_or_directories_under_srv_usrlocal_or_homeuser
[4] https://ltb-project.org/documentation/openldap-rpm

Comment 2 Trey Dockendorf 2021-05-06 13:10:41 UTC
What about for EPEL8 just not having the openldap RPM spec include the "openldap" and "openldap-clients" and whatever other openldap packages come from RHEL so that it does build "openldap-servers" and then just depends on RHEL for the RPMs the servers RPM needs like "openldap"?  I don't know if something like that is a viable option for EPEL or too ugly to consider doing.  Or maybe renaming the package from "openldap" to "openldap-servers" and only building the RPM to produce the "openldap-servers" RPM and rely on RHEL for the dependencies that would need at install time.

- Trey

Comment 3 Viktor Ashirov 2021-05-06 13:48:53 UTC
openldap package contains libldap and liblber, that openldap-servers package uses. There is no guarantee that openldap-servers built against a different libldap will work with the one from BaseOS, because they might contain a different set of patches or be completely different versions. As I said earlier, the best approach is to use a different prefix to keep things separate. 

Have you considered to use rpms from Symas or LTB project?

Comment 4 Trey Dockendorf 2021-05-06 14:36:30 UTC
Given the packaging guidelines linked previously it sounds like different prefix would not be allowed, though that certainly sounds like a viable option especially if there's a way to make it work with existing policies.

I was not aware of Symas or LTB projects, so those are viable options. I've also found that I can easily mock rebuild the Fedora SRPM for EPEL8 and just host the RPMs locally though I was hoping that such effort could be pushed back to something like EPEL8 so others could benefit.

If this request is a non-starter or has no realistic solutions for EPEL8, then I think this bug can be closed.

Comment 5 Viktor Ashirov 2021-05-06 15:09:23 UTC
For your personal use you can rebuild in mock and install openldap packages. But keep in mind that there are at least 52 packages in BaseOS and AppStream that depend on system openldap libraries and were not tested against your rebuild and some things might break:

$ repoquery --setopt=appstream.module_hotfixes=true --whatdepends openldap --qf '%{SOURCERPM}' | wc -l 
Last metadata expiration check: 0:04:39 ago on Thu 06 May 2021 14:52:11 UTC.

If you just need an LDAP server on RHEL8, you might want to take a look at FreeIPA [1] or 389 Directory Server [2] projects. 


[1] https://www.freeipa.org/page/About
[2] https://www.port389.org/docs/389ds/download.html#centos-81-ds-14x