openldap sections in ubuntu server guide not updated for packages in karmic

Bug #463684 reported by Stuardo -StR- Rodríguez on 2009-10-29
156
This bug affects 35 people
Affects Status Importance Assigned to Milestone
Ubuntu Website - OBSOLETE
Undecided
Unassigned
openldap (Ubuntu)
Low
Unassigned
ubuntu-docs (Ubuntu)
Medium
Adam Sommer

Bug Description

Binary package hint: slapd

slapd 2.4.18-0ubuntu1 package

lsb_release -rd
Description: Ubuntu 9.10
Release: 9.10

sudo dpkg-reconfigure slapd

Omit OpenLDAP server configuration? no
Remove the dattabase when slapd is purged? yes
allow ldapv2 protocol? no

those are the only questions asked, and all the tutorlas say it should ask me a lot of other questions

Related branches

On Thu, Oct 29, 2009 at 08:05:52PM -0000, StR wrote:
>
> sudo dpkg-reconfigure slapd
>
> Omit OpenLDAP server configuration? no
> Remove the dattabase when slapd is purged? yes
> allow ldapv2 protocol? no
>
> those are the only questions asked, and all the tutorlas say it should
> ask me a lot of other questions
>

Have you tried to change the debconf priority when reconfiguring the
package?

Ex: dpkg-reconfigure -pmedium slapd

  status incomplete
  importance low

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Changed in openldap (Ubuntu):
importance: Undecided → Low
status: New → Incomplete

dpkg-reconfigure -pmedium slapd
gave the same questions, the same error

emiperez (emiperez) wrote :

The same problem. The documentation says the installation process and/or dpkg-reconfigure should ask me for the admin's password but it does not.

emiperez (emiperez) wrote :

https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html

"[...] First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
The installation process will prompt you for the LDAP directory admin password and confirmation. [...]"

"[...] If you require a different suffix, the directory can be reconfigured using dpkg-reconfigure. Enter the following in a terminal prompt:
sudo dpkg-reconfigure slapd
You will then be taken through a menu based configuration dialog, allowing you to configure various slapd options. [...]"

Mathias Gug (mathiaz) wrote :

Correct. This is because the slapd package has been updated in karmic. See bug 442498.

This is an issue with the ubuntu server guide.

Changed in openldap (Ubuntu):
status: Incomplete → Triaged
Mathias Gug (mathiaz) on 2009-11-04
summary: - dpkg-reconfigure slapd wizard configuration isn't complete
+ openldap sections in ubuntu server guide not updated for packages in
+ karmic
Changed in ubuntu-docs (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in openldap (Ubuntu):
status: Triaged → Won't Fix
Changed in ubuntu-docs (Ubuntu):
assignee: nobody → Adam Sommer (asommer)
Alvin (alvind) wrote :

Also see bug 447099 and bug 459403

Luis F. Lopez (luis.lopez) wrote :

As Alvin mentions (from bug 459403), a good howto that could be used to update the official documentation is available at:

http://ubuntuforums.org/showthread.php?p=8161118#post8161118

Adrian Custer (acuster) wrote :

Hey Julián,

Thanks for doing that work. I have not had time to read your edits on doc.ubuntu.com in detail yet, but want to add an issue worth mentioning in these pages.

If one tries to create a second branch on the DIT, openldap wants to store that in a separate backend. If we want to do this next to the initial backend, on /var/lib/ldap2/ for example, then apparmor kicks in to block slapd from writing to a directory it has not been authorized to hit. The error message generated by openldap does not prove very helpful---I was only saved by finding a message on the subject on the web.

It would be useful to mention that apparmour might become an issue for any expansion of the DIT to a second backend. It would also be elegant to explain how to modify apparmour correctly to allow this second backend but that's getting far afield so I could understand mentioning the issue and moving on. I personally hacked my apparmour quick and dirty but am not working on a production server.

cheers, --adrian

Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package ubuntu-docs - 10.04.1

---------------
ubuntu-docs (10.04.1) lucid; urgency=low

  * First upload for lucid
  * General:
    - Refresh pot files
    - Changed 'Text Editor' to 'gedit Text Editor' LP: #442417 (Connor Imes)
  * Advanced-topics:
    - Added link in advanced-topics to a description about Users and Groups in
      Debian systems. LP: #145055 (Connor Imes)
  * Hardware:
    - Added mention of ext4 to hardware.xml and changed the mentioning of the
      default filesystem in Ubuntu from ext3 to ext4 LP #449667 (Connor Imes)
    - Removed subsection in hardware about quirk-checker script - link was
      broken, script is outdated LP: #461158 (Connor Imes)
  * Keeping-safe:
    - Updating instructions for automatic login for new GDM LP: #442676
     (Dean Sas)
    - String adjustment (period inside of a quote tag), Scott Shields,
      LP: #496885
  * Internet:
    - Changes remaining mention of flashplugin-nonfree to flashplugin-installer
      in web-apps.xml LP: #444546 (Connor Imes)
    - Change some <guimenu> tags to <guimenuitem> tags in web-apps.xml to show
      arrows in HTML documentation instead of + signs LP: #453512 (Connor Imes)
    - Removed reference to network-manager radio buttons, as radio buttons
      aren't used in this version of NM for wired networks (Jim Campbell)
    - Aligned similar strings in 'internet' section to benefit translators;
      some small adjustments. LP: #460360 (Connor Imes)
  * Musicvideophotos:
    - Fixed apturl for mtp-tools package in music.xml LP #452262 (Connor Imes)
    - Improve ipod section, patch by Michael Fitzhugh. LP: #370085
  * Printing:
    - Updated printer setup directions in printing section LP: #435510
      (Connor Imes)
    - Fix scanning typo. Patch by Shane Fagan LP: #447250
  * Programming:
    - Removed entire programming section LP: #414035 (Connor Imes)
  * Serverguide:
    - Adjusted wording in serverguide package-management file to more
      clearly describe apticron. LP: #473280 (Connor Imes)
    - Updated LDAP section for changes to the Jaunty package.
      Fixes LP: #475492, LP: #459403, LP: #463684 (Adam Sommer)
    - In OpenSSH section, .ssh/authorized_keys permissions should be
      600, not 644 LP: #491159 (Connor Imes)
    - Replaced description of ebox Log Observer in serverguide with a real
      description of the event's purpose LP: #405926 (Connor Imes)
    - Fixed IP example in serverguide's postfix configuration section
      LP: #495202 (Connor Imes)
    - Include 'auto eth1' in interfaces file for static IP configuration
      LP: #441802 (Connor Imes)
    - Fix for disabling Control-Alt-Delete in serverguide. Scott Shields,
      LP: #496465
    - Typo fix, Scott Shields, LP: #497867
    - PostgreSQL setup fix for config file pg_hba.conf, Scott Shields,
      LP: #492286
    - Misc fixes in windows-networking section. Vikram Dhillon, LP: #462607
    - Changes to RAID installation section LP: #428036, LP: #462719
      (Connor Imes)
    - Fixes and adjustments to web-servers LP: #462621 (Connor Imes)
  * Switching:
    - Replaced Pidgin with Empathy in applications-equivalents
      LP: #490980 (Connor Ime...

Read more...

Changed in ubuntu-docs (Ubuntu):
status: Triaged → Fix Released
Julian Alarcon (alarconj) wrote :

Please, check again this wiki help:
https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html

Still no updates.

I am sick of this.

I have spent the last 4 days upgrading, installing, uninstalling trying really hard to get OpenLDAP to work on Ubuntu but I am just now giving up.

For those who care to listen there are some reasons:

1. I originally had it working on Edgy but when I went to test some stuff on Friday it was no longer working. Plus I thought it was probably time for an update...

2. The update had some moments but I eventually arrived at Karmic but along the way my slapd.conf wouldn't upgrade.

3. No worries, I'll remove and install the package again. Really really bad decision.

4. The installation wouldn't work because the remove wouldn't delete the slapd.conf. The remove was failing as was the install. I eventually deleted the slapd.conf manually so the remove and install would then work. I was surprised that a new slapd.conf was never created.

5. The configuration script asks just 3 questions when it clearly should be asking a whole lot more. Nobody seems to know why it's not asking more but they think the documentation should be updated to reflect that the configuration will only ask 3 questions. Duh!

6. More googling and I found a step by step to getting the ldap server working. Well, at least there were steps but I couldn't get them to work. I needed some Berkeley database which I couldn't find anywhere, and I looked for other packages that utilised this bdb and tried installing them - I don't know if the database arrived or not but the LDAP script still failed with some error about the database, I think it was error (80) - really cool messages. So my ldap server is like a beached whale without this database.... I thought that was what pre-requisites were for....

7. None of the ldapadd scripts worked and now the problems are just adding up...

Wouldn't it be nice to have a piece of software that would load, provide some configuration options and then you could use a tool like LDAPExplorerTool2 to do the loading and searching functions.

I'm a developer and my application operates as an LDAP client - I don't want to learn all of the intricacies of the LDAP server in order to test my application. I want just the basics operating so I can test my app with a couple of use cases.

I'm now completely turned off Ubuntu and will be heading off to another Linux derivative.

Good bye.
Murray

Download full text (4.1 KiB)

Yes,

the current situation sucks. Unfortunately, it cannot all be laid at the
feet of Ubuntu. Like you, I spent a good week in a maze of twisty
passages where nothing worked. Then, painfully, I emerged from that mess
over a few weeks to get a working system.

The core issue is that LDAP has moved on while most of the available
documentation has not. Almost all the search accessible documentation is
based on the venerable 'slapd.conf' but OpenLDAP has moved to an
embedded Db. So, like an anthropologist, one has to sift through the
docs and try to figure out what is still relevant and what no longer
works. It's a hard slog. The #openldap irc channels sometimes helps.

Then, there's Ubuntu which silently transitioned from the older system
to the newer one without really considering the consequences for the
newbies like me who were getting their first dose of LDAP in the middle
of the transition. Ubuntu doesn't have infinite resources and made the
code transition without having the documenters who could at least put up
the flags warning that 'here be monsters'. Fixing it though, requires a
good documentation writer who will take on the task of writing a really
decent chapter. In itself, that's a couple of weeks of work.
Unfortunately, the cost of figuring things out takes so much time that
there's none left to 'volunteer' to fix the docs. (And my Gnumeric
manual is ever waiting for my spare documenter cycles.) So it never gets
fixed---such goes life in the collaborosphere.

So, good luck to you with your next distribution. You now also know that
newer LDAPs are working differently from the way things used to work so
you have a leg up when installing that.

all the best,
--adrian

On Mon, 2010-02-22 at 01:36 +0000, murray wrote:
> I am sick of this.
>
> I have spent the last 4 days upgrading, installing, uninstalling trying
> really hard to get OpenLDAP to work on Ubuntu but I am just now giving
> up.
>
> For those who care to listen there are some reasons:
>
> 1. I originally had it working on Edgy but when I went to test some
> stuff on Friday it was no longer working. Plus I thought it was
> probably time for an update...
>
> 2. The update had some moments but I eventually arrived at Karmic but
> along the way my slapd.conf wouldn't upgrade.
>
> 3. No worries, I'll remove and install the package again. Really really
> bad decision.
>
> 4. The installation wouldn't work because the remove wouldn't delete the
> slapd.conf. The remove was failing as was the install. I eventually
> deleted the slapd.conf manually so the remove and install would then
> work. I was surprised that a new slapd.conf was never created.
>
> 5. The configuration script asks just 3 questions when it clearly should
> be asking a whole lot more. Nobody seems to know why it's not asking
> more but they think the documentation should be updated to reflect that
> the configuration will only ask 3 questions. Duh!
>
> 6. More googling and I found a step by step to getting the ldap server
> working. Well, at least there were steps but I couldn't get them to
> work. I needed some Berkeley database which I couldn't find anywhere,
> and I looked for other packages tha...

Read more...

yannickm (yannickm) wrote :

Murray's comments is exactly what I was expecting to happen, and what I warned of in the bug i filled [442498].

As I mentioned, not everyone who wishes to use openldap is a system administrator who wishes to setup a production ldap environment.

Many are people who need to use an ldap server, and who are NOT interested in wasting hours and hours learning all the complexity of openldap's cn=config

Those people will try ubuntu, waste time struggling to get it working, give up and think 'ubuntu sucks'

What really is rubbing salt in the wound, is that this is NOT a question of something that is missing and that needs to be added. it is *NOT* a documentation problem (although documentation quality makes things even worse)

The debconf script that would create a completely working-out-of-the-box system EXISTED in the last version, and supported cn=config, and had all the flexibility one might need since they were debconf-based.

So no extra work is required. This whole situation has been created due to the REMOVAL of functionality that worked fine, at the cost of making openldap UNUSABLE for a significant portion of people who who need it, for NO BENEFIT WHATSOEVER

Tessa (unit3) wrote :

I'm not as enraged as others here, but I agree with Yannick. If we had a debconf based base configuration for cn=config, and removed it, then it should be put back in. Clearly having it would be less problematic for most users than not having it.

tags: added: regression-release
Tobias Bradtke (webwurst) wrote :

Will things be easier with Lucid? Does someone know what is planned? I could not find much about that.

Hello,

On Mon, Feb 22, 2010 at 6:40 PM, Tobias Bradtke <email address hidden>wrote:

> Will things be easier with Lucid? Does someone know what is planned? I
> could not find much about that.
>
> --
>
>
The instructions have been updated for Lucid, you can find a draft version
on the documentation here:

  http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html

<http://doc.ubuntu.com/ubuntu/serverguide/C/openldap-server.html>All
feedback is greatly appreciated.

--
Party On,
Adam

Tessa (unit3) wrote :

Docs look better, but they also serve to highlight that the base config should be more fleshed out. That's a lot of non-trivial steps to get to a point where you can actually use your slapd install for something.

chandra (chandru-talk) wrote :

I think dpkg-reconfigure slapd still has issues as of today, and the doc does not reflect, i have followed these steps to make it work again from ground up.

http://wiki.ubuntuusers.de/OpenLDAP

I think that the developers need to do a bit more of testing.

chandra (chandru-talk) wrote :

Further more this has happened in server edition, i would expect that the guys are a little more cautious when releasing the fixes for the server edition.

The documentation for Karmic is still wrong: https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html

Also see bug #355400 - OpenLDAP doc page is horrible.

I found this forum post http://ubuntuforums.org/showpost.php?p=8161118&postcount=6 and this thread http://ubuntuforums.org/showthread.php?t=1313472 to be useful in getting a server up and running. It's a shame the Ubuntu documentation is still incorrect as it appears to be confusing people.

atom88 (adam-hiatt) wrote :

https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html
This documentation is still outdated when it comes to installing it. The script does NOT request a password still?

Any updates as to when this document might be updated?

I would suggest making these docs. more "wiki-like" Then, volunteers who run into the issue and wish to update the docs on their own for the benefit of the community may do so and everyone is happy. There are already 20+ messages on this bug alone. These could have been turned into productive time by updating the docs.

atom88 (adam-hiatt) wrote :

I found this comment about why things were changed:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/447099

-- Mathias Gug <email address hidden> Tue, 11 Aug 2009 14:48:56 -0400

There isn't a default LDAP directory admin password anymore. Instead the
cn=config tree is accessible when connecting as root using the SASL
external mechanism under the ldapi connection.

Example:

  sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

  status invalid

[...]
--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Adam Sommer (asommer) wrote :

On Thu, Apr 29, 2010 at 10:23 AM, atom88 <email address hidden> wrote:

> https://help.ubuntu.com/9.04/serverguide/C/openldap-server.html
> This documentation is still outdated when it comes to installing it. The
> script does NOT request a password still?
>
> Any updates as to when this document might be updated?
>
>
>

The OpenLDAP instructions have been updated for Ubuntu Lucid, and they work
for Karmic. After Lucid is released a SRU for the Karmic serverguide will
probably be done. So the answer to your question is they should be updated
in the near future.

Thanks.

--
Party On,
Adam

On Thu, Apr 29, 2010 at 02:23:51PM -0000, atom88 wrote:
> Any updates as to when this document might be updated?
>
> I would suggest making these docs. more "wiki-like" Then, volunteers
> who run into the issue and wish to update the docs on their own for the
> benefit of the community may do so and everyone is happy.

FWIW the Ubuntu server guide is available from a bzr repository. Anyone can
create a branch, update the documentation and submit a merge proposal [1].

[1]: https://wiki.ubuntu.com/ServerTeam/KnowledgeBase#Documentor%20resources

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

atom88 (adam-hiatt) wrote :

Thanks Mathias for the info. I'll look into becoming a contributor.

I found this how-to that solved my problem:
http://www.howtoforge.com/install-and-configure-openldap-on-ubuntu-karmic-koala

It has step-by-step instructions on how to create an "admin" user with a password.

On Thu, Apr 29, 2010 at 15:03:46 -0000, Adam Sommer wrote:
> The OpenLDAP instructions have been updated for Ubuntu Lucid, and they work
> for Karmic.

I noticed that the Lucid version of the Ubuntu Server Guide is now
available on the web site:

  https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html

      Nathan

Matthew Nuzum (newz) on 2010-06-16
Changed in ubuntu-website:
status: New → Invalid

Trying to get LDAP working on Ubuntu is my worst linux experience yet. Still can't do it. Every tutorial a different, incomprehensible error code. Hours and hours wasted. Someone needs to sort this can of worms out.

Pin it back to Jaunty...groan.

Package: slapd
Pin: version 2.4.15-1ubuntu3
Pin-Priority: 1100

Package: ldap-utils
Pin: version 2.4.15-1ubuntu3
Pin-Priority: 1100

Package: libldap-2.4-2
Pin: version 2.4.15-1ubuntu3
Pin-Priority: 1100

-Bruce

On Thu, Jul 1, 2010 at 3:35 PM, <email address hidden> <<email address hidden>
> wrote:

> Trying to get LDAP working on Ubuntu is my worst linux experience yet.
> Still can't do it. Every tutorial a different, incomprehensible error
> code. Hours and hours wasted. Someone needs to sort this can of worms
> out.
>
> --
> openldap sections in ubuntu server guide not updated for packages in karmic
> https://bugs.launchpad.net/bugs/463684
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Thomas Schweikle (tps) wrote :

Does not work for lucid too. Error:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: <olcModuleLoad> handler exited with 1

This is for the documentation found for Ubuntu-Server. I do not see it fixed, as stated in comment #10

Nearly anything related to ldap seems undocumented, or alt least outdated if not wrong and error prone. Any docs I found refer to various variants of "backend.ldif" all not working. This is quite bad, since Ubuntu lucid is out since April 2010! It looks a lot like no one considered to update necessary Howtos to make them work again.

Thomas Schweikle (tps) wrote :

Can you check /var/log/syslog for slapd related errors.

--
Party On,
Adam

Alfas (alfonsasstonis) wrote :

After every new release of ubuntu (the last I am trying now is 10.10) I try openldap. Unfortunately every time I end up with the same result. It does not work. I type in "dpkg-reconfigure slapd" and the result is the same as mentioned at the top of this bug report - no password asked configuration exits after first few questions. The only solution I found so far is to switch to http://directory.apache.org/

Adam Sommer (asommer) wrote :

Can you try purging slapd using apt-get purge slapd ? The issue is that
using reconfigure will, I believe, leave modules loaded in slapd. Thus when
you follow the instructions in the Server Guide you will need to account for
loaded modules, and modify the instructions appropriately. There will be
errors in /var/log/syslog pointing you in the right directions.

Thanks for reporting your issues, you can also find help in #ubuntu-server
on freenode.

--
Party On,
Adam

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers