--On Wednesday, December 21, 2011 4:36 PM +0000 "Torsten Schlabach (Tascel eG)" tschlabach@tascel.net wrote:
We're using OpenLDAP 2.4.23 on Debian Linux. The backend is a
back-hdb.
Upgrade.
Actually, yes, newer is better most of the time in OSS land, but still, in a production system IMO you cannot upgrade your software every week, can you?
Certainly no one is asking that be done. In fact, OpenLDAP has a fairly slow release cycle. However, it also can be expected to update periodically.
The other part of the problem is that OpenLDAP is releasing a lot faster than most distros manage to update their packages. For example, in Debian right now they are working on getting 2.4.25 into "experimental" while you're at 2.4.28 already. On average, Debian as well as Ubuntu and others are frequently 2-3 releases behind the current one.
This question has come up so often that the Debian maintainers actually contributed an FAQ on the topic: http://www.openldap.org/faq/data/cache/1456.html
You may find it helpful. Debian also has the complication that they want to build OpenLDAP against GnuTLS, which has caused all sorts of nasty problems, and GnuTLS remains an additional security risk as well due the the way in which it is coded. When using Debian/Ubuntu, I always advise people to (a) build their own packages and (b) ensure they are linked against OpenSSL instead of GnuTLS.
I would also strongly advise you to read the change history between 2.4.23 and at least 2.4.26.http://www.openldap.org/software/release/changes.html
And yes, I personally build and upgrade OpenLDAP for the various production environments I've worked in, both at my previous job and my current job. I also don't build out every release. There are clearly times when it isn't necessary. However, in Debian's case, neither 2.4.23 or 2.4.25 are what I would consider suitable releases for a production OpenLDAP installation. 2.4.26 has been quite good for me, and I'll be moving to 2.4.28 in the near future.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration