How to install libldap-2.5.0 on Bullseye?

Question

I'm setting up logins, backed by sssd & AD, on Bullseye machines. Judging the error logging, it looks like I ran into sssd issue 5720. Which is about a requirement mismatch between libldap and sssd. Sssd requires cldap support, while libldap doesn't support it.

An extract from /var/log/sssd/sssd_.log

[sss_ldap_init_sys_connect_done] (0x0020): ldap_init_fd failed: Bad parameter to an ldap routine. [26][cldap://*****:389] 
[sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error.

I thought the simple solution would be to install the backport release libldap-2.5.0. Unfortunately it installs besides the stock Bullseye release libldap-2.4.2. Instead of replacing it. I can't remove libldap-2.4.2, because that would remove a whole lot of depending packages.

Our machines are tracking Debian Stable. I'd rather not have them track Testing just for this one item.

How should I proceed to upgrade libldap ?

Answer 1

I thought the simple solution would be to install the backport release libldap-2.5.0. Unfortunately it installs besides the stock Bullseye release libldap-2.4.2. Instead of replacing it.

That's very deliberate, as the two versions have different library names – libldap-2.4.so.2 in older versions has become libldap.so.2 starting with 2.5.x, so the new version would not be found by any program that was originally compiled for the older 2.4.x library. (The older version also had two variants, with most programs using the re-entrant libldap_r-2.4.so.2.)

(A different soname also tends to indicate material differences in the library ABI, e.g. *.so.2 may become *.so.3 because of functions taking different parameters, or structures having different fields; trying to shoehorn a library with a different ABI version will usually lead to crashes or other damage sooner or later.)

This means that Debian's approach of having both libraries side-by-side is exactly what you want here – SSSD all you need to rebuild, whereas if the 2.5 package had replaced the 2.4 one, you would have to install rebuilt versions of all dependent packages. (That's how the migration happened in distributions that did upgrade in-place, such as Arch Linux – they had to rebuild all dependent packages and release them in a single batch.)