1

We use Oracle Linux 9 for our servers (so it's EL9 family - based on RHEL9). Some of the servers have openldap-servers installed. (We have the oracle-epel repo enabled, in addition to the standard repos, but they are all Oracle repos).

Some time earlier today we stopped being able to run dnf update on those machines. It fails on requirements from the openldap-servers.

# dnf update
Last metadata expiration check: 0:00:12 ago on Wed May 21 20:00:56 2025.
Error:
 Problem 1: package openldap-servers-2.6.6-3.el9.x86_64 from @System requires openldap(x86-64) = 2.6.6, but none of the providers can be installed
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from @System
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from ol9_baseos_latest
  - cannot install the best update candidate for package openldap-servers-2.6.6-3.el9.x86_64
  - cannot install the best update candidate for package openldap-2.6.3-1.el9.x86_64
 Problem 2: problem with installed package openldap-servers-2.6.6-3.el9.x86_64
  - package openldap-servers-2.6.6-3.el9.x86_64 from @System requires openldap(x86-64) = 2.6.6, but none of the providers can be installed
  - package openldap-servers-2.6.6-3.el9.x86_64 from ol9_developer_EPEL requires openldap(x86-64) = 2.6.6, but none of the providers can be installed
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from @System
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from ol9_baseos_latest
  - cannot install the best update candidate for package openldap-2.6.6-3.el9.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Trying to install it on an empty Oracle Linux 9 minimal (just added the EPEL repo definition to a minimal install) gives similar error:

[root@test-adco-carc ~]# dnf clean all && dnf makecache
44 files removed
Oracle Linux 9 EPEL Packages for Development (x86_64)                                                                                                                                                                                          8.1 MB/s |  30 MB     00:03
Oracle Linux 9 BaseOS Latest (x86_64)                                                                                                                                                                                                          8.4 MB/s |  61 MB     00:07
Oracle Linux 9 Application Stream Packages (x86_64)                                                                                                                                                                                            8.5 MB/s |  58 MB     00:06
Oracle Linux 9 UEK Release 7 (x86_64)                                                                                                                                                                                                          8.5 MB/s |  66 MB     00:07
Last metadata expiration check: 0:00:24 ago on Wed 21 May 2025 19:53:47 EEST.
Metadata cache created.
[root@test-adco-carc ~]# dnf install openldap-servers openldap-clients libselinux-python3 openssh openssl
Last metadata expiration check: 0:03:02 ago on Wed 21 May 2025 19:53:47 EEST.
Package python3-libselinux-3.6-1.el9.x86_64 is already installed.
Package openssh-8.7p1-43.0.2.el9.x86_64 is already installed.
Package openssl-1:3.2.2-6.0.1.el9_5.1.x86_64 is already installed.
Error:
 Problem: package openldap-servers-2.6.6-3.el9.x86_64 from ol9_developer_EPEL requires openldap(x86-64) = 2.6.6, but none of the providers can be installed
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from @System
  - cannot install both openldap-2.6.8-4.el9.x86_64 from ol9_baseos_latest and openldap-2.6.6-3.el9.x86_64 from ol9_baseos_latest
  - package openldap-clients-2.6.8-4.el9.x86_64 from ol9_baseos_latest requires openldap(x86-64) = 2.6.8-4.el9, but none of the providers can be installed
  - cannot install the best candidate for the job
  - conflicting requests
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

I can't find much online. This surprises me since I thought this was a fairly standard way of installing OpenLDAP on EL9. I did find a release note (PDF) from Red Hat dated yesterday that lists among the changes

openldap has been rebased to version 2.6.8

The openldap package has been updated to version 2.6.8. The update includes various enhancements and bug fixes, including:

  • Handling of TLS connections has been improved.
  • Kerberos SASL works with STARTTLS even when the Active Directory certificate is an Elliptic Curve Cryptography (ECC) certificate and SASL_CBINDING is set to tls-endpoint.

So I guess that's it. The openldap-servers in the EPEL repo hasn't been updated and still wants 2.6.6 but the main repos only provide 2.6.8.

I can work around it for now for the existing machines by version locking all the openldap stuff. But that's not sustainable.

There was a comment suggesting it was a repo conflict.

# dnf repolist
repo id                                                                                                               repo name
ol9_UEKR7                                                                                                             Oracle Linux 9 UEK Release 7 (x86_64)
ol9_appstream                                                                                                         Oracle Linux 9 Application Stream Packages (x86_64)
ol9_baseos_latest                                                                                                     Oracle Linux 9 BaseOS Latest (x86_64)
ol9_developer_EPEL                                                                                                    Oracle Linux 9 EPEL Packages for Development (x86_64)

ls /etc/yum.repos.d/


oracle-epel-ol9.repo  oracle-linux-ol9.repo  uek-ol9.repo  virt-ol9.repo

My questions:

  • Am I doing something wrong? Should I be installing some other way than using openldap-servers?
  • Or is this a bug? And if so, is this oracle or Red Hat or Open LDAP who I need to report it to? I am guessing it's the oracle EPEL repo so have opened an issue with them
Adam
  • 296

2 Answers2

1

I have a similar issue in a slightly different context (i.e., a Rocky 9.5 server with epel enabled): I have a conflict with the openldap-servers package. The list of my openldap packages, with where they come from, is:

# yum list installed | grep openldap
openldap.x86_64                                      2.6.6-3.el9                   @minimal  
openldap-clients.x86_64                              2.6.6-3.el9                   @baseos   
openldap-compat.x86_64                               2.6.6-3.el9                   @baseos   
openldap-servers.x86_64                              2.6.6-3.el9                   @epel

It looks like people from Epel have compiled a new version of openldap-servers (openldap-servers-2.6.8-2) but the baseos Rocky repo does not yet have required openldap (2.6.8) package. So I can either wait for a few days so that this package becomes available or find a source package with version 2.6.8 and build the rpm myself (if the upgrade is really urgent and necessary).

Christophe Muller
  • 111
1

It seems the oracle EPEL repo was lagging behind and, for a while, incompatible with the Oracle base repos.

It has now caught up. At least, it now works for me to do a dnf update with openldap-servers installed from the EPEL repo. Whether there are other packages in EPEL that still cause issues I can't answer. have not had any official notification from Oracle.

Adam
  • 296