---
# tasks file for /etc/ansible/roles/slapd

- name: OS specific vars
  include_vars: "{{ ansible_distribution }}.yml"

- name: install
  package:
    name: "{{ ldap_packages }}"
    state: present

- name: configure client
  template:
    src: ldap.conf
    dest: /etc/openldap/ldap.conf
    mode: 0644

- name: activate service
  service:
    name: "{{ ldap_service }}"
    state: started
    enabled: yes

- name: reconfigure slapd
  ldap_attr:
    dn: olcDatabase={2}hdb,cn=config
    name: "{{ item.key }}"
    values: "{{ item.value }}"
    state: exact
  with_dict:
    olcSuffix: "{{ ldap_suffix }}"
    olcRootDN: "{{ ldap_admin_dn }}"
    olcRootPW: "{{ ldap_admin_password }}"

- name: load additionnal schema
  include_tasks: import_ldap_schema.yml
  loop: "{{ ldap_schemas }}"
  loop_control:
    loop_var: schema

- name: create suffix
  ldap_entry:
    server_uri: ldap://localhost
    bind_dn: "{{ ldap_admin_dn }}"
    bind_pw: "{{ ldap_admin_password }}"
    dn: "{{ ldap_suffix }}"
    objectClass: domain
    attributes:
      dc: "{{ ldap_domain }}"

- name: create passwd file
  copy:
    dest: /root/.ldap.secrets
    mode: 0600
    content: "{{ ldap_admin_password }}"

- name: import data
  block:
  - name:  create initial directory
    file:
      path: /root/Ldif
      state: directory
      mode: 0700

  - name: send ldif files
    template:
      src: "{{ item }}"
      dest: /root/Ldif/
      mode: 0600
    with_fileglob: "templates/[0-9]*.ldif"

  - name: get list of ldif files
    find:
      paths: /root/Ldif
      patterns: "*.ldif"
      file_type: file
    register: ldif_list

  - name: import ldif files
    command: "ldapadd -y /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}"
    with_items: "{{ ldif_list.files }}"
  when: import_data == true

- name: configure replication provider
  include_tasks: replication_provider.yml
  when: ldap_replication_provider

- name: configure replication consumer
  include_tasks: replication_consumer.yml
  when: ldap_replication_consumer

- name: open firewall
  firewalld:
    service: "{{ item }}"
    permanent: yes
    immediate: yes
    state: enabled
  loop:
     - ldap
     - ldaps

# cannot use ldap_entry module because attr olcTLS* don't have equality matching
# rules ...
# instead send ldif and process ...

- name: configure ssl
  tags: ssl
  block:
  - name: ensure certificate and key files have correct permissions
    file:
      path: "{{ item }}"
      group: ldap
      mode: 0640
    loop:
    - "{{ ldap_ssl_cert_path }}"
    - "{{ ldap_ssl_key_path }}"
    - "{{ ldap_ssl_cacert_path }}"
  - name: send ldif file
    template:
      src: ssl.ldif
      dest: /root/Ldif/

  - name: import ldif
    command: ldapmodify  -c -Y EXTERNAL -H ldapi:/// -f /root/Ldif/ssl.ldif
  when: ldap_have_ssl