This is probably an issue. If I'm correct Debian policy prevent version
upgrade, say, if Lenny have 2.4.11 version, they can't put 2.4.17 in it.
Instead, they can backport some patches from 2.4.17 back to 2.4.11 and
make it 2.4.11-1+lenny1. "they" mean maintainers. On Debian there are a
number of them, there is also a list which doesn't seem dead:

http://packages.debian.org/lenny/slapd
http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/

So, maybe a correct solution for this situation is to figure out what
patch solves given issue and ask maintainers to backport it. Or maybe
just file a bug on Debian.

Let's be careful about what we criticise some of the better open source
companies of doing. While the Red Hat packages have historically left a *lot*
to be desired (Red Hat 7.x/RHEL2.1 shipped OpenLDAP 2.0.x built against GNU
gdbm!, RHEL3 shipped 2.0.x when 2.1 had been stable for a substantial amount
of time), the RHEL4 packages of 2.2 built an internal copy of 4.2:

$ rpm -qlp /data/software/linux/redhat/rhel4es-64/RedHat/RPMS/openldap-
servers-2.2.13-12.el4.x86_64.rpm |grep "lib.*db"
/usr/lib64/libslapd_db-4.2.so
/usr/lib64/tls/libslapd_db-4.2.so

and RHEL5 shipped 2.3 (granted, RHEL5.2 and earlier had a very old version,
2.3.27 I think) built with an internal copy of 4.4 (while the "system" copy of
db was 4.3):

$ rpm -qlp /data/software/linux/redhat/rhel5.1-64/Server/openldap-
servers-2.3.27-8.x86_64.rpm |grep "lib.*db"
/usr/lib64/libslapd_db-4.4.so
/usr/lib64/tls/libslapd_db-4.4.so

While Fedora may have shipped OpenLDAP built against db4.3, I can find no
evidence of Red Hat having shipped that combination in any RHEL release.

As of 5.3, the OpenLDAP packages shipped by Red Hat are quite adequate (IMHO),
even if there are some peculiarities and areas for improvement. In
environments which don't justify 2.4, or where OpenLDAP isn't business-
critical (where I still have RHEL4 boxes running 2.3.43 because I can't
justify an OS upgrade yet), CentOS 5.3 with the supplied packages is quite
adequate.

Of course, people who desire packages for 2.4 can get them from others, and
people can argue the point that Red Hat should provide them. However Red Hat
aims to provide some kind of stability, including version stability. And, in
the same was as their OpenLDAP packages are still on 2.3, their samba packages
(at least on RHEL 5.4) are still on 3.0 (when there is even *more* motivation
to ship a newer version, due to compatibility with the new versions of the
desktop software with the biggest market share).

If you have a requirement for 2.4, faced with the choices, I would *not* go
with a distro that ships OpenLDAP built against gnutls, so my personal choices
would be Mandriva or CentOS with my 2.4 packages (but, I could be biased).

Regards,
Buchan

Out of fairness want to note that the most significant component of the
problems with the OpenLDAP packages for Debian (and Ubuntu, to a somewhat
lesser degree) is that the packaging team has basically no resources.
Only two of us have done much work over the past year or two, and then
only as we've found time, and neither of the two of us who are active have
any free time to spare to increase the amount of work that we're doing
significantly.

This is not something that either is the fault of the OpenLDAP project or
something that any of the OpenLDAP developers can address even if they
wanted to unless they wanted to become experts in Debian packaging.
Debian and Ubuntu need more people with a thorough understanding of Debian
packaging working on improving the packages.

At this point, nearly all complaints about the state of the Debian
packages are rightfully directed at the lack of resources on the Debian
side. There may be some issues that could be reasonably considered a
shared responsibility were the packages in much better shape, but at this
point they're swamped by the lack of volunteer resources to absorb new
upstream releases and do reasonable bug triage.

Unfortunately, we're currently in a state where the people involved in the
packaging don't have enough free time to teach even interested parties
about packaging so that they can come up to speed and help. We really
need volunteers who already know the packaging components and can start
working at that level without needing much additional resources or
training. Both Steve and I are already doing about a dozen other
high-profile things for Debian and are both involved in the packaging of
OpenLDAP primarily out of pure self-interest in not wanting to see the
packages go completely untended, not because we have any realistic ability
to maintain the packages as they properly should be maintained.

I do the Debian package maintenance for OpenAFS, which has a similar or
higher change rate as OpenLDAP and also doesn't do a lot of support for
old stable versions, but the end user experience is much, much better and
the same complaints are not present simply because on the packaging side
I'm able to apply more resources. I have the time to aggressively package
new versions, pull up upstream changes inbetween releases (admittedly,
made *far* easier than it would be for OpenLDAP by OpenAFS's use of Git),
and backport newer versions for users of Debian stable. When Debian users
of OpenAFS run into problems fixed in later versions, I can just tell them
to go to the version from backports.org to solve their problem. This
doesn't require any additional work from the OpenAFS upstream maintainers.

There's absolutely no reason why the same thing couldn't be true of the
OpenLDAP packages for Debian and Ubuntu, without any changes whatsoever to
how the OpenLDAP developers run their project. All it requires is
volunteers and time.