So I'm not even sure that I'm sending this to the right place - please tell me if so or not so. But from what I've read via the GWN I should be sending feedback to the package maintainers whenever I use ~86 and masked packages. So I upgraded to openldap-2.2.19. I read and followed the instructions in the ebuild carefully. Here are the area's where I had trouble. 1. It took me a while to work out that you must enter the line in /etc/portage/package.unmask EXACTLY as it is entered in /usr/portage/profiles/package.mask. 2. I needed to upgrade Berkeley DB to >=4.2.52_p1 because I was using 4.1. 3. My first attempt to run slapadd -l backup.ldif failed because openldap 2.2 did not like my openldap 2.1 acl's (expecting <what> got "attribute"). I had "attribute" in some places I needed to change that to "attrs" before slaptest would give the ok. 4. My second attempt to run slapadd failed with "slap_startup failed". echo $? returned 1. I moved all of /var/lib/openldap-data/* out of the way and ran slapadd again. It work, the old database files were the problem. 5. I discoved that my pam_ldap was now broken. I emerged pam_ldap and nss_ldap again (actually I added ~86 to package.keywords for both these packages because I wanted newer versions) and after the emerge pam_ldap logins etc started to work again. In fact the main reason I did the upgraded got fixed too. Prior to upgrading changing the password via pam_ldap and exop was not working. Some kind of server refused message, upgrading all packages fixed it. OK, hope some of this is useful. Regards, Warren. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Why do people consistantly not use the very latest versions of hardmasked packages? Use openldap-2.2.23-r1 instead! 1. "echo net-nds/openldap >>/etc/portage/package.unmask" 2. the ebuild already requires db-4.2.52_p1, so your machine should have brought it in. 3. provide in more detail your old ACL and your new ACL. 4. in you see in the instructions that are spit out by 2.2.23-r1, this is noted. 5. expect a lot more of your ldap-using stuff to break, I don't consider openldap-2.2 safe for stable x86 yet (there are a number of packages that need similar fixes as pam_ldapp/nss_ldap).
Re: Why do people consistantly not use the very latest versions of hardmasked packages? I guess emerge laziness is the simplest answer. I did an emerge --deep --update world 2-3 weeks prior to doing the openldap upgrade. The ebuild for openldap-2.2.19 was the latest that I had so that's the one I used. Re: provide in more detail your old ACL and your new ACL. Old ACL that 2.2 did not like: access to attribute=userPassword by group/groupOfNames/member=cn=sysadmin,dc=naturesoft,dc=net write by anonymous auth by self write by * none access to attribute=homePhone by group/groupOfNames/member=cn=hradmin,dc=naturesoft,dc=net write by self write by * none Changed ACL accepted by 2.2 (attribute -> attrs): access to attrs=userPassword by group/groupOfNames/member=cn=sysadmin,dc=naturesoft,dc=net write by anonymous auth by self write by * none access to attrs=homePhone by group/groupOfNames/member=cn=hradmin,dc=naturesoft,dc=net write by self write by * none Regards, Warren
Fixed in 2.2.24.