ldapscripts ldapaddgroup fails with "No such object (32)" and "Error adding group ${groupname} to LDAP"

Question

I had some issues and fixed them, but there is no post on stackexchange about it, so I'll post a question and answer too.

(EDIT: apparently there is a very related post...which I couldn't find any way other than looking for "GSUFFIX"... already knowing the answer)

I installed the packages that come with the distro:

apt install slapd ldap-utils ldapscripts libnss-ldap

And then I upgraded from something older to Ubuntu 16.04. (the cause of the 2nd problem?)

or you can change that to the older way using nslcd which works way better (doesn't make systemd-logind eat 100% cpu and never fully start, and some strange boot up race conditions... nssldap-update-ignoreusers is supposed to fix such things but doesn't):

apt install libnss-ldapd libpam-ldap

Take the default for everything, except set things like your distinguished name and password.

And now you'd think it would just work... the distro of course has a setup that works since you used only their packages, right? But instead ldapscripts fails in a few ways.

problem 1 - already solved

is that the debian prompts and things asked for a password, and it put it in a file, but it will put it with a new line, and the scripts don't work unless you remove that.

So you can fix that:

echo -n "secretgoeshere" > /etc/ldap.secret
echo -n "secretgoeshere" > /etc/ldapscripts/ldapscripts.passwd

# just in case...
chown root:root /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd
chmod go= /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd

# and because you can't be sure it won't break it again next time debconf runs, but I can assure you it will
chattr +i /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd

problem 2 - which I'll answer separately

# ldapaddgroup test
Error adding group test to LDAP

You can get a tiny bit more detail from the log

# tail /var/log/ldapscripts.log
Apr 09 16:51:57 ldapservername ldapscripts: ldapaddgroup(peter): /usr/sbin/ldapaddgroup test
No such object (32)
Matched DN: dc=example,dc=com
No such object (32)
Matched DN: dc=example,dc=com
ldap_add: No such object (32)
        matched DN: dc=example,dc=com
  -> Error adding group test to LDAP

And of course it doesn't say which object you referred to that doesn't exist. Obviously not the group name since it should only complain when it already exists, and not existing is a requirement. And ldapscripts deletes the temp files, so you can't even see the ldif.

So this is the problem to solve in an answer, which I found nowhere online.

Answer 1

So to investigate, I took the ldapaddgroup script, and copied it and modified it:

mkdir ~/ldapscripts-mod
cd ~/ldapscripts-mod

cp /usr/sbin/ldapaddgroup .
cp /usr/share/ldapscripts/runtime .

vim ldapaddgroup
    change the runtime source line like this (optional... just do this if you customize the runtime script):

    -_RUNTIMEFILE="/usr/share/ldapscripts/runtime"
    +#_RUNTIMEFILE="/usr/share/ldapscripts/runtime"
    +_RUNTIMEFILE="/root/ldapscripts-mod/runtime"

    you could also output the ldif if you like:

    -$_getldif | _filterldif | _askattrs | _utf8encode | _ldapadd
    +$_getldif | _filterldif | _askattrs | _utf8encode | tee ~/ldapscripts-mod/test.ldif | _ldapadd

vim runtime
    I added echos everywhere (make sure to >&2 or they end up in that pipe above)... but nothing really worth noting here.

    One of the echos showed which ldapadd command it used so I could use it below (with the cat added).

And so I saw that the ldif had ou=Groups but my database has no such ou... it has ou=Group. I confirmed that is the problem by editing the ldif and adding it manually:

cat ~/ldapscripts-mod/test.ldif | /usr/bin/ldapadd -y /etc/ldapscripts/ldapscripts.passwd -D cn=admin,dc=example,dc=com -xH ldap://ldapservername/

And you can basically see it like this too:

# slapcat | grep -Eo "ou=[^,]+" | sort -u
ou=Group
ou=Hosts
ou=Idmap
ou=people
ou=People

Luckily, this is configurable easily...

vim /etc/ldapscripts/ldapscripts.conf
    GSUFFIX="ou=Group"
    USUFFIX="ou=People"
    MSUFFIX="ou=Hosts"

I don't really know what MSUFFIX is or whether I fixed anything...but I at least set it to something that exists. The other 2 are obviously correct. And now it works.