I'm attaching an updated patch, which includes the previous patch with
an additional change. This adds another organizationalUnit to contain
groups in the LDAP user directory.
diff --git a/first-run.d/50_ldap-server b/first-run.d/50_ldap-server
new file mode 100755
index 0000000..6b45da8
--- /dev/null
+++ b/first-run.d/50_ldap-server
@@ -0,0 +1,15 @@
+#!/bin/sh
+#
+# Remove LDAP admin password. Allow root to modify the users directory.
+
+cat <<EOF |ldapmodify -Y EXTERNAL -H ldapi:///
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+delete: olcRootPW
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+
+EOF
diff --git a/setup.d/30_ldap-server b/setup.d/30_ldap-server
index 231e83a..358c922 100755
--- a/setup.d/30_ldap-server
+++ b/setup.d/30_ldap-server
@@ -1,28 +1,23 @@
#!/bin/sh
-DEBIAN_FRONTEND=noninteractive apt-get install -y pwgen
-pwd="$(pwgen -1)"
-
domain=thisbox
echo slapd slapd/domain string $domain | debconf-set-selections
-echo slapd slapd/password1 password "$pwd" | debconf-set-selections
-echo slapd slapd/password2 password "$pwd" | debconf-set-selections
DEBIAN_FRONTEND=noninteractive apt-get install -y slapd ldap-utils
# Make sure slapd isn't running when we use slapadd
service slapd stop
-# slapcat -b cn=config
-
-#slapadd /usr/share/freedombox/ldap/root.ldif
cat <<EOF|slapadd
dn: ou=users,dc=$domain
objectClass: top
objectClass: organizationalUnit
ou: users
-EOF
+dn: ou=groups,dc=$domain
+objectClass: top
+objectClass: organizationalUnit
+ou: groups
-echo password: $pwd
+EOF
