OpenLDAP: Drop MozNSS Compatibility Layer
Since Fedora 28, OpenLDAP is compiled with OpenSSL instead of NSS and includes MozNSS Compatiblity Layer (i.e. TLSMC) to assure backwards compatiblity. After this change the TLSMC will be removed.
- Name: Matus Honek
- Email: mhonek (at) redhat (dot) com
- Release notes owner:
- Targeted release: Fedora 29
- Last updated: 2018-03-19
- Release Notes tracking: #130
- Tracker bug: #1557967
This change drops support for NSS-like configuration style for TLS in OpenLDAP. Only PEM files will be supported. This is the expected follow-up to the Changes/OpenLDAPwithOpenSSL.
The change will be accomplished by dropping a downstream patch that brings the feature and removing all the related statements from the SPEC file, including
--enable-moznss-compatiblity=yes configure option.
Benefit to Fedora
This is the final part of changing the crypto library from NSS to OpenSSL which is the supported crypto library with OpenLDAP upstream. This in order to lower downstream maintenance requirements and better alignment with the upstream. Additionally, the base Fedora image will be reduced as OpenLDAP is the last component there requiring NSS.
- Proposal owners: Drop downstream patching as described in #Detailed Description
- Other developers: N/A (not a System Wide Change)
- Release engineering: #7382
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Users who use NSS database to store certificates for OpenLDAP will be required to migrate these to the PEM file format.
How To Test
N/A (not a System Wide Change)
It appears users nowadays mostly use PEM files, however those using NSS database will encounter errors while trying to use TLS. Users should migrate their certifiactes to PEM file format.
- Contingency mechanism: Revert the change.
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No.
- Blocks product? No.