From 4b0312e4715c34c2ca954804da51ac3b4fa376ba Mon Sep 17 00:00:00 2001
From: Thomas Constans <thomas@opendoor.fr>
Date: Tue, 13 May 2025 13:54:40 +0200
Subject: [PATCH] make it work on debian12

---
 README.md                      |  2 +-
 tasks/import_ldap_schema.yml   |  4 +--
 tasks/main.yml                 | 60 ++++++++++++++++++++--------------
 tasks/replication_consumer.yml | 14 +++-----
 tasks/replication_provider.yml | 30 ++++++++---------
 templates/ssl.ldif             |  9 +++--
 vars/CentOS8.yml               |  2 ++
 vars/Debian.yml                |  2 ++
 8 files changed, 68 insertions(+), 55 deletions(-)

diff --git a/README.md b/README.md
index f1ad854..816e069 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ defined in vars/main.yml and vars/CentOS.yml
   * ldap_schemas     - list of additionnal schema names to load - default cosine
   * ldap_replication_consumer - bool -true to setup a replication consumer
   * ldap_replication_provider - bool -true to setup a replication provider
-  * ldap_replication_account - account used for replication
+  * ldap_replication_account_dn- account used for replication
   * ldap_replication_password - account password  used for replication
   - ldap_replication_provider_uri - ldap uri of provider server
   * ldap_have_ssl    - boolean - wether we use ssl or not
diff --git a/tasks/import_ldap_schema.yml b/tasks/import_ldap_schema.yml
index 3424366..5617700 100644
--- a/tasks/import_ldap_schema.yml
+++ b/tasks/import_ldap_schema.yml
@@ -1,9 +1,9 @@
 - name: check if schema is loaded
-  command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
+  ansible.builtin.command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
   register: ldap_schema_list
   changed_when: false
 
 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
+  ansible.builtin.command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
   when: schema not in ldap_schema_list.stdout
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 5f26d04..3a976f6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,41 +2,41 @@
 # tasks file for /etc/ansible/roles/slapd
 
 - name: get admin password from keepass
-  set_fact:
+  ansible.builtin.set_fact:
     ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}"
     ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}"
   tags: always
   when: ldap_admin_dn is not defined or ldap_admin_password is not defined
 
 - name: OS specific vars
-  include_vars: "{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
   tags: always
 
 - name: CentOS8 stuff
   block:
   - name: CentOS 8 specific vars
-    include_vars: CentOS8.yml
+    ansible.builtin.include_vars: CentOS8.yml
 
   - name: configure Symas repo for CentOS8
-    get_url:
+    ansible.builtin.get_url:
       url:  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
       dest: /etc/yum.repos.d/sofl.repo
   when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
   tags: always
 
 - name: install
-  package:
+  ansible.builtin.package:
     name: "{{ ldap_packages }}"
     state: present
 
 - name: configure client
-  template:
+  ansible.builtin.template:
     src: ldap.conf
     dest: "{{ ldap_config_dir }}/"
     mode: 0644
 
 - name: activate service
-  service:
+  ansible.builtin.service:
     name: "{{ ldap_service }}"
     state: started
     enabled: yes
@@ -75,7 +75,7 @@
     ordered: true
 
 - name: reconfigure slapd - access to cn=config
-  ldap_attrs:
+  community.general.ldap_attrs:
     dn: olcDatabase={0}config,cn=config
     attributes:
       olcAccess:
@@ -86,7 +86,7 @@
     state: exact
 
 - name: reconfigure slapd - access to cn=monitor
-  ldap_attrs:
+  community.general.ldap_attrs:
     dn: olcDatabase={1}monitor,cn=config
     attributes:
       olcAccess:
@@ -98,13 +98,13 @@
   when: ansible_os_family == 'RedHat'
 
 - name: load additionnal schema
-  include_tasks: import_ldap_schema.yml
+  ansible.builtin.include_tasks: import_ldap_schema.yml
   loop: "{{ ldap_schemas }}"
   loop_control:
     loop_var: schema
 
 - name: create suffix
-  ldap_entry:
+  community.general.ldap_entry:
     server_uri: ldap://localhost
     bind_dn: "{{ ldap_admin_dn }}"
     bind_pw: "{{ ldap_admin_password }}"
@@ -114,7 +114,7 @@
       dc: "{{ ldap_domain }}"
 
 - name: create passwd file
-  copy:
+  ansible.builtin.copy:
     dest: "{{ ldap_secret_file }}"
     mode: 0600
     content: "{{ ldap_admin_password }}"
@@ -122,38 +122,38 @@
 - name: import data
   block:
   - name:  create initial directory
-    file:
+    ansible.builtin.file:
       path: /root/Ldif
       state: directory
       mode: 0700
 
   - name: send ldif files
-    template:
+    ansible.builtin.template:
       src: "{{ item }}"
       dest: /root/Ldif/
       mode: 0600
     loop: "{{ ldap_ldif_files }}"
 
   - name: get list of ldif files
-    find:
+    ansible.builtin.find:
       paths: /root/Ldif
       patterns: "*.ldif"
       file_type: file
     register: ldif_list
 
   - name: import ldif files
-    command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}"
+    ansible.builtin.command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}"
     with_items: "{{ ldif_list.files }}"
     ignore_errors: true
 
   when: ldap_ldif_files is defined
 
 - name: configure replication provider
-  include_tasks: replication_provider.yml
+  ansible.builtin.include_tasks: replication_provider.yml
   when: ldap_replication_provider
 
 - name: configure replication consumer
-  include_tasks: replication_consumer.yml
+  ansible.builtin.include_tasks: replication_consumer.yml
   when: ldap_replication_consumer
 
 # cannot use ldap_entry module because attr olcTLS* don't have equality matching
@@ -165,15 +165,25 @@
   block:
 
   - name: send ldif file
-    template:
+    ansible.builtin.template:
       src: ssl.ldif
       dest: /root/
 
   - name: import ldif
-    command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif
+    ansible.builtin.command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif
 
-  - name: configure url
-    lineinfile:
+  - name: configure url - Debian
+    when: ansible_os_family == 'Debian'
+    ansible.builtin.lineinfile:
+      path: /etc/default/slapd
+      regexp: '^SLAPD_SERVICES="ldap:/// ldapi:///"'
+      line: 'SLAPD_SERVICES="ldapi:/// ldap:/// ldaps:///"'
+      state: present
+    notify: restart_slapd
+
+  - name: configure url - RH
+    when: ansible_os_family == 'RedHat'
+    ansible.builtin.lineinfile:
       path: /etc/sysconfig/slapd
       regexp: '^SLAPD_URLS="ldapi:/// ldap:///"'
       line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"'
@@ -181,7 +191,7 @@
     notify: restart_slapd
 
   - name: remove ldif
-    file:
+    ansible.builtin.file:
       path: /root/ssl.ldif
       state: absent
   when: ldap_have_ssl
@@ -200,7 +210,7 @@
     line: source /root/.ldap_aliases.sh
 
 - name: add some entries
-  ldap_entry:
+  community.general.ldap_entry:
     dn: "{{ item.dn }}"
     objectClass: "{{ item.objectClass }}"
     attributes: "{{ item.attributes }}"
@@ -210,5 +220,5 @@
   ignore_errors: true
 
 - name: setup backup
-  import_tasks: backup.yml
+  ansible.builtin.import_tasks: backup.yml
   tags: backup_ldap
diff --git a/tasks/replication_consumer.yml b/tasks/replication_consumer.yml
index e4dcb10..512d182 100644
--- a/tasks/replication_consumer.yml
+++ b/tasks/replication_consumer.yml
@@ -1,19 +1,15 @@
 ---
 - name: add synrepl entry
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "{{ ldap_database }}"
-    name: "{{ item.name }}"
-    values: "{{ item.value }}"
-  loop:
-   - name: olcSyncRepl
-     value: |
+    attributes:
+     olcSyncRepl: |
       rid=001
        provider="{{ ldap_replication_provider_uri }}"
-       binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+       binddn="{{ ldap_replication_account_dn }}"
        bindmethod="simple"
        credentials="{{ ldap_replication_password }}"
        searchbase="{{ ldap_suffix }}"
        type=refreshAndPersist
        retry="10 +"
-   - name: olcUpdateRef
-     value: "{{ ldap_provider_uri }}"
+     olcUpdateRef: "{{ ldap_provider_uri }}"
diff --git a/tasks/replication_provider.yml b/tasks/replication_provider.yml
index 7419763..f77ce8b 100644
--- a/tasks/replication_provider.yml
+++ b/tasks/replication_provider.yml
@@ -1,19 +1,19 @@
 ---
 - name: create replication account
-  ldap_entry:
-    dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+  community.general.ldap_entry:
+    dn: "{{ ldap_replication_account_dn }}"
     objectClass: person
     attributes:
-     sn: "{{ ldap_replication_account }}"
+     sn: "Replication"
      userPassword: "{{ ldap_replication_password }}"
-    params: "{{ ldap_auth }}"
+  args: "{{ ldap_auth }}"
 
 - name: check wether module is already loaded
   command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config   objectClass=olcModuleList olcmoduleload
   register: ldap_result
 
 - name: add syncprov overlay module
-  ldap_entry:
+  community.general.ldap_entry:
     dn: cn=module,cn=config
     objectClass: olcModuleList
     attributes:
@@ -22,7 +22,7 @@
   when: '"syncprov.la" not in  ldap_result.stdout'
 
 - name: add syncprov overlay config
-  ldap_entry:
+  community.general.ldap_entry:
     dn: olcOverlay=syncprov,{{ ldap_database }}
     objectClass: olcSyncProvConfig
     attributes:
@@ -31,15 +31,15 @@
       olcSpSessionLog: 200
 
 - name: configure serverid
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: cn=config
-    name: olcServerId
-    values: "{{ ldap_replication_server_id|default(42) }}"
+    attributes:
+      olcServerId: "{{ ldap_replication_server_id|default(42) }}"
 
 - name: add indexes for replication
-  ldap_attr:
-    dn: olcdatabase={2}hdb,cn=config
-    name: olcDbIndex
-    values:
-    - entryUUID eq
-    - entryCSN eq
+  community.general.ldap_attrs:
+    dn: "{{ ldap_database }}"
+    attributes:
+      olcDbIndex:
+      - entryUUID eq
+      - entryCSN eq
diff --git a/templates/ssl.ldif b/templates/ssl.ldif
index 15c7813..79138e7 100644
--- a/templates/ssl.ldif
+++ b/templates/ssl.ldif
@@ -3,15 +3,18 @@ changetype: modify
 replace: olcTLSCertificateFile
 olcTLSCertificateFile: {{ ldap_ssl_cert_path }}
 -
+replace: olcTLSCACertificatePath
+olcTLSCACertificatePath: /etc/ssl/certs
+-
 replace: olcTLSCertificateKeyfile
 olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }}
 -
-replace: olcTLSCipherSuite
-olcTLSCipherSuite: TLSv1+RSA:!NULL
+replace: olcTLSProtocolMin
+olcTLSProtocolMin: 3.3
 -
 replace: olctlsverifyclient
 olctlsverifyclient: never
 -
 replace: olctlscacertificatefile
-olctlscacertificatefile: {{ ldap_ssl_cacert_path }}
+olctlscacertificatefile: {{ ldap_ssl_cert_path }}
 
diff --git a/vars/CentOS8.yml b/vars/CentOS8.yml
index bf403a0..98cd60e 100644
--- a/vars/CentOS8.yml
+++ b/vars/CentOS8.yml
@@ -6,3 +6,5 @@ ldap_service: slapd
 ldap_user: ldap
 ldap_database: olcDatabase={2}hdb,cn=config
 ldap_module_dir: /usr/lib64/openldap/
+ldap_daemon_config: /etc/sysconfig/slapd
+ldap_daemon_url: SLAPD_URLS
diff --git a/vars/Debian.yml b/vars/Debian.yml
index 44b55f0..05bd1f8 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -7,3 +7,5 @@ ldap_packages:
   - python3-ldap
 ldap_service: slapd
 ldap_user: openldap
+ldap_daemon_config: /etc/default/slapd
+ldap_daemon_url: SLAPD_SERVICES=