---
# vim: set expandtab tabstop=2 shiftwidth=2:

- name: install openldap
  apt:
    name:
    - slapd
    - ldap-utils
    - python-ldap

- name: fix acl
  community.general.ldap_attrs:
    dn: olcDatabase={1}mdb,cn=config
    state: exact
    attributes:
      olcAccess:
      - >-
        {0}to attrs=userPassword,shadowLastChange
        by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
        by self write
        by anonymous auth
        by * none
      - >-
        {1}to dn.base="" by * read
      - >-
        {2}to *
        by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
        by * read
- name: set crypto
  community.general.ldap_attrs:
    dn: cn=config
    state: exact
    attributes:
      olcPasswordHash: '{CRYPT}'
      olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s"

- name: set base DN
  community.general.ldap_attrs:
    dn: 'olcDatabase={{"{"+(ldap_database_index|default(1)|string)+"}"}}mdb,cn=config'
    state: exact
    attributes:
      olcSuffix: "{{ldap_basedn}}"
      olcRootDN: "cn=root,{{ldap_basedn}}"

- name: base DN exists?
  shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}}
  register: basedn_check
  changed_when: no
  failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32"
- name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}"
  set_fact:
    basedn_exists: "{{basedn_check.rc == 0}}"

- name: prepare base DN
  when: not basedn_exists
  block:
  - name: generate root password
    set_fact:
      root_password: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}'
  - debug: var=root_passwort
  - name: add base DN
    become: yes
    become_user: openldap
    shell: slapadd -v
    args:
      stdin: |
        dn: {{ldap_basedn}}
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        dc: {{ldap_basedn | regex_replace( '^[^=]+=([^,]+).*', '\1')}}
        o:  {{ldap_basedn | regex_replace( '^[^=]+=([^,]+).*', '\1')}}

        dn: ou=People,{{ldap_basedn}}
        objectClass: top
        objectClass: organizationalUnit
        structuralObjectClass: organizationalUnit
        ou: People

        dn: ou=Groups,{{ldap_basedn}}
        objectClass: top
        objectClass: organizationalUnit
        structuralObjectClass: organizationalUnit
        ou: Groups

        dn: cn=root,{{ldap_basedn}}
        objectClass: simpleSecurityObject
        objectClass: organizationalRole
        structuralObjectClass: organizationalRole
        cn: root
        description: LDAP administrator
        userPassword: {{root_password}}

#  - name: update in ldap.conf
#    lineinfile:
#      path: /etc/ldap/ldap.conf
#      regexp: "^{{item.key}}"
#      insertafter: "^#{{item.key}}"
#      line: "{{item.key}} {{item.value}}"
#    with_dict:
#      BASE: '{{ldap_basedn}}'
#      URI: ldapi://