---
# vim: set expandtab tabstop=2 shiftwidth=2:

- name: install openldap
  apt:
    name:
    - slapd
    - ldap-utils
    - python-ldap

- name: fix acl
  ldap_attr:
    name: olcAccess
    dn: olcDatabase={1}mdb,cn=config
    state: exact
    values:
    - >-
      {0}to attrs=userPassword,shadowLastChange
      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
      by self write
      by anonymous auth
      by * none
    - >-
      {1}to dn.base="" by * read
    - >-
      {2}to *
      by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
      by * read
- name: set crypto
  ldap_attr:
    dn: cn=config
    name: "{{item.key}}"
    state: exact
    values: "{{item.value}}"
  with_dict:
    olcPasswordHash: '{CRYPT}'
    olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s"

- name: set base DN
  ldap_attr:
    dn: 'olcDatabase=\{{{ldap_database_index|default(1)}}\}mdb,cn=config'
    name: "{{item.key}}"
    state: exact
    values: "{{item.value}}"
  with_dict:
    olcSuffix: "{{ldap_basedn}}"
    olcRootDN: "cn=root,{{ldap_basedn}}"

- name: base DN exists?
  shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}}
  register: basedn_check
  changed_when: no
  failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32"
- name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}"
  set_fact:
    basedn_exists: "{{basedn_check.rc == 0}}"

- name: prepare base DN
  when: not basedn_exists
  block:
  - name: generate root password
    set_fact:
      root_passwort: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}'
  - debug: var=root_passwort
  - debug: var=root_passwort
  - name: add base DN
    become: yes
    become_user: openldap
    shell: slapadd -v
    args:
      stdin: |
        dn: {{ldap_basedn}}
        objectClass: top
        objectClass: dcObject
        objectClass: organization
        dc: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}
        o:  {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}

        dn: ou=People,{{ldap_basedn}}
        objectClass: top
        objectClass: organizationalUnit
        structuralObjectClass: organizationalUnit
        ou: People

        dn: ou=Groups,{{ldap_basedn}}
        objectClass: top
        objectClass: organizationalUnit
        structuralObjectClass: organizationalUnit
        ou: Groups

        dn: cn=root,{{ldap_basedn}}
        objectClass: simpleSecurityObject
        objectClass: organizationalRole
        structuralObjectClass: organizationalRole
        cn: root
        description: LDAP administrator
        userPassword: highsecure

#  - name: update in ldap.conf
#    lineinfile:
#      path: /etc/ldap/ldap.conf
#      regexp: "^{{item.key}}"
#      insertafter: "^#{{item.key}}"
#      line: "{{item.key}} {{item.value}}"
#    with_dict:
#      BASE: '{{ldap_basedn}}'
#      URI: ldapi://