From Fedora Project Wiki

Revision as of 11:54, 19 March 2018 by Jkurik (talk | contribs) (
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenLDAP: Drop MozNSS Compatibility Layer


Since Fedora 28, OpenLDAP is compiled with OpenSSL instead of NSS and includes MozNSS Compatiblity Layer (i.e. TLSMC) to assure backwards compatiblity. After this change the TLSMC will be removed.


  • Name: Matus Honek
  • Email: mhonek (at) redhat (dot) com
  • Release notes owner:

Current status

Detailed Description

This change drops support for NSS-like configuration style for TLS in OpenLDAP. Only PEM files will be supported. This is the expected follow-up to the Changes/OpenLDAPwithOpenSSL.

The change will be accomplished by dropping a downstream patch that brings the feature and removing all the related statements from the SPEC file, including --enable-moznss-compatiblity=yes configure option.

Benefit to Fedora

This is the final part of changing the crypto library from NSS to OpenSSL which is the supported crypto library with OpenLDAP upstream. This in order to lower downstream maintenance requirements and better alignment with the upstream. Additionally, the base Fedora image will be reduced as OpenLDAP is the last component there requiring NSS.


  • Policies and guidelines: N/A (not a System Wide Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Users who use NSS database to store certificates for OpenLDAP will be required to migrate these to the PEM file format.

How To Test

N/A (not a System Wide Change)

User Experience

It appears users nowadays mostly use PEM files, however those using NSS database will encounter errors while trying to use TLS. Users should migrate their certifiactes to PEM file format.



Contingency Plan

  • Contingency mechanism: Revert the change.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No.
  • Blocks product? No.


None required.

Release Notes