On Thu, Aug 28, 2008 at 9:32 AM, Luca Scamoni <luca.scamoni@sys-net.it> wrote:
Nicholas Dronen wrote:
> Hi, Pierangelo:
>
> Unfortunately, we're more or less at the mercy of Red Hat when it
> comes to the versions of packages that are included in their
> distribution.  We use a commercial version, not Fedora, for support
> reasons.  In this particular case, the fact that we were exceeding the
> default limit of 1024 file descriptors for select(2) resulted in
> pam_authenticate blocking for up to four minutes, which is a huge
> problem in a production system, enough to justify including a rebuilt
> RPM.  Generally, JPam's use of libldap is pretty simple -- just enough
> to bind and authenticate a user -- so as long as that basic
> functionality works as desired, we should be okay with 2.3.27.
> <http://2.3.27.> :-)  If we're not, then we'll have to include our own
> RPM.
I would say you're at the mercy of redhat 'cause you want to.
You are free to package your own version of openldap and install it on
your system without losing support from RH as long as it doesn't
interfere with RH existing packages.
We deploy our own openldap rpm to our customers. It installs in
/opt/ldap, is up-to-date with recommened versions of openssl,
cyrus-sasl, berkeleydb and anything else it could need (it's latest
OpenLDAP, of course), has its own init script, man pages and so on.
So it's up to you...

Hi, Luca:

I agree that it's up to us.  We are, for example, going to include our own version of OpenLDAP in our current release to work around the problem with select().  In our next release, we're going to be using syncrepl, and we plan to use a more recent version of OpenLDAP than the one included in RedHat EL 5.2.  But take it to the other extreme.  If a person always upgraded every package in a vendor's distribution just because the vendor was horribly backlevel, they might as well maintain their own distribution, which just isn't worth it.  Keep in mind that we distribute an entire distribution on the appliance, so it's not just OpenLDAP we have to care about.

That being said, this is tangential to the original question, and I have 120 more pages of a requirements document to finish today, so I have to leave off here.

Regards,

Nick