I had some issues and fixed them, but there is no post on stackexchange about it, so I'll post a question and answer too.
(EDIT: apparently there is a very related post...which I couldn't find any way other than looking for "GSUFFIX"... already knowing the answer)
I installed the packages that come with the distro:
apt install slapd ldap-utils ldapscripts libnss-ldap
And then I upgraded from something older to Ubuntu 16.04. (the cause of the 2nd problem?)
or you can change that to the older way using nslcd which works way better (doesn't make systemd-logind eat 100% cpu and never fully start, and some strange boot up race conditions... nssldap-update-ignoreusers is supposed to fix such things but doesn't):
apt install libnss-ldapd libpam-ldap
Take the default for everything, except set things like your distinguished name and password.
And now you'd think it would just work... the distro of course has a setup that works since you used only their packages, right? But instead ldapscripts fails in a few ways.
problem 1 - already solved
is that the debian prompts and things asked for a password, and it put it in a file, but it will put it with a new line, and the scripts don't work unless you remove that.
So you can fix that:
echo -n "secretgoeshere" > /etc/ldap.secret
echo -n "secretgoeshere" > /etc/ldapscripts/ldapscripts.passwd
# just in case...
chown root:root /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd
chmod go= /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd
# and because you can't be sure it won't break it again next time debconf runs, but I can assure you it will
chattr +i /etc/ldap.secret /etc/ldapscripts/ldapscripts.passwd
problem 2 - which I'll answer separately
# ldapaddgroup test
Error adding group test to LDAP
You can get a tiny bit more detail from the log
# tail /var/log/ldapscripts.log
Apr 09 16:51:57 ldapservername ldapscripts: ldapaddgroup(peter): /usr/sbin/ldapaddgroup test
No such object (32)
Matched DN: dc=example,dc=com
No such object (32)
Matched DN: dc=example,dc=com
ldap_add: No such object (32)
matched DN: dc=example,dc=com
-> Error adding group test to LDAP
And of course it doesn't say which object you referred to that doesn't exist. Obviously not the group name since it should only complain when it already exists, and not existing is a requirement. And ldapscripts deletes the temp files, so you can't even see the ldif.
So this is the problem to solve in an answer, which I found nowhere online.
So to investigate, I took the ldapaddgroup script, and copied it and modified it:
And so I saw that the ldif had
ou=Groupsbut my database has no such ou... it hasou=Group. I confirmed that is the problem by editing the ldif and adding it manually:And you can basically see it like this too:
Luckily, this is configurable easily...
I don't really know what MSUFFIX is or whether I fixed anything...but I at least set it to something that exists. The other 2 are obviously correct. And now it works.