Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at

Bug 1187742

Summary: rebuild openldap with support for moznss
Product: [Fedora] Fedora Reporter: Rich Megginson <rmeggins>
Component: openldapAssignee: Jan Synacek <jsynacek>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: rawhideCC: awilliam, jsynacek, jv+fedora, lslebodn, nkinder, phracek, rmeggins, robatino, sgallagh, ssorce, vashirov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-20 13:08:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1043125    

Description Rich Megginson 2015-01-30 18:56:10 UTC
Description of problem:

openldap was recently built against openssl in rawhide.  This breaks a number of applications such as 389, freeipa, dogtag, etc.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

openldap is built with moznss

Additional info:

Comment 1 Fedora Blocker Bugs Application 2015-01-30 19:02:37 UTC
Proposed as a Blocker for 22-beta by Fedora user sgallagh using the blocker tracking app because:

 This issue subtly (and sometimes non-subtly) breaks many features of the Domain Controller Role for Fedora Server.

Comment 2 Adam Williamson 2015-02-02 17:51:12 UTC
Discussed at 2015-02-02 blocker review meeting: . Accepted as a Beta blocker - we trust sgallagh's assessment that it violates the given criterion. However, sgallagh, could we ask for a few more details on exactly what it breaks, so we can double check and do follow-up testing? Thanks.

Comment 3 Rich Megginson 2015-02-02 17:56:58 UTC
Specifically - it is going to break any outgoing LDAP TLS/SSL connection from any 389 related package.  So things like replication/chaining/pass-through-auth/windows sync from 389; most 389-admin/389-adminutil operations, including operations invoked via CGI from the 389-console packages; and 389-dsgw.  IPA will be affected because of replication and windows sync.

Comment 4 Nathan Kinder 2015-02-17 15:42:01 UTC
Is this going to be addressed for the upcoming F22 Alpha?  The non-backwards compatible change  to use openssl is going to break a number of features as mentioned in comment#1, and it should be reverted as soon as possible.