---
- name: Install OpenLDAP
  apt:
    name:
      - slapd
      - ldap-utils
      - openssl
      - python3-ldap
  become: yes

- name: Check for changed cert
  command: /bin/true
  when:
    - cert_changed
  notify:
    - Restart slapd

#
# Global server config
#

- name: Configure TLS Certificate
  community.general.ldap_attrs:
    dn: cn=config
    attributes:
      olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
      olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
      olcTLSCertificateFile: '{{ ldap.tls.cert }}'
    state: exact
  become: yes
  when: ldap.tls.enable
  ignore_errors: yes

- name: Enable ldaps:636
  lineinfile:
    path: /etc/default/slapd
    regexp: '^SLAPD_SERVICES='
    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
  become: yes
  when: ldap.tls.enable
  notify: Restart slapd

- name: Enable modules
  community.general.ldap_attrs:
    dn: cn=module{0},cn=config
    attributes:
      olcModuleLoad:
        - "{0}pw-sha2.la"
        - "{1}memberof.la"
        - "{2}refint.la"
    state: present
  become: yes

- name: Create memberOf Overlay
  community.general.ldap_entry:
    dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
    objectClass:
      - olcOverlayConfig
      - olcMemberOf
    attributes:
      olcMemberOfRefint: "TRUE"
      olcMemberOfDangling: ignore
      olcMemberOfGroupOC: groupOfNames
      olcMemberOfMemberAD: member
      olcMemberOfMemberOfAD: memberOf
  become: yes

- name: Enable SSHA Hashes
  community.general.ldap_attrs:
    dn: olcDatabase={-1}frontend,cn=config
    attributes:
      olcPasswordHash: "{SSHA}"
    state: present
  become: yes

#
# schema
#

# This assumes the default debian slapd setup with {1}mdb already configured,
# so we are just chaning a few things
- name: Configure LDAP schema
  community.general.ldap_attrs:
    dn: olcDatabase={1}mdb,cn=config
    attributes:
      olcSuffix: '{{ ldap.base }}'
      olcAccess:
        - >-
          {0}to attrs=userPassword
          by self write
          by anonymous auth
          by * none
        - >-
          {1}to attrs=shadowLastChange
          by self write
          by * read
        - >-
          {2}to *
          by users read
          by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
      olcRootDN: '{{ ldap.root_dn }}'
      olcRootPW: '{{ ldap.root_pw_hash }}'
    state: exact
  become: yes

- name: organization top object
  community.general.ldap_entry:
    dn: '{{ ldap.base }}'
    objectClass:
      - dcObject
      - organization
      - top
    attributes:
      o: '{{ ldap.o }}'
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'

- name: Create OUs
  community.general.ldap_entry:
    dn: 'ou={{ item }},{{ ldap.base }}'
    objectClass:
      - organizationalUnit
      - top
    attributes:
      ou: '{{ item }}'
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'
  loop:
    - users
    - apps
    - groups
    - unixgroups

- name: Create LDAP Admin group
  community.general.ldap_entry:
    dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
    objectClass:
      - groupOfNames
      - top
    attributes:
      cn: 'ldap_admin'
      member: ''
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'