## Install and configure slapd (if not done yet),
##  run most tasks only on slapd installation.
---
- fail: msg="The machine's domain must not be empty."
  when: ansible_domain | length == 0

- name: check if slapd is already there
  stat: path=/etc/ldap/slapd.d/slapd-config.ldif
  register: slapd

- name: preseed ldap domain
  debconf:
    name: slapd
    question:  slapd/domain
    value: "{{ ansible_domain }}"
    vtype: string
  when: not slapd.stat.exists

- name: preseed slapd admin password1
  debconf:
    name: slapd
    question: slapd/password1
    value: "{{ ldap_admin_pwd }}"
    vtype: password
  no_log: true
  when: not slapd.stat.exists

- name: preseed slapd admin password2
  debconf:
    name: slapd
    question: slapd/password2
    value: "{{ ldap_admin_pwd }}"
    vtype: password
  no_log: true
  when: not slapd.stat.exists

- name: dump admin password
  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
  no_log: true
  when: not slapd.stat.exists

- name: install slapd, ldap-utils, ldapvi and python3-ldap
  apt:
    name:
      - slapd
      - ldap-utils
      - ldapvi
      - python3-ldap
    state: latest

- name: make initial slapd configuration available
  copy:
    src: slapd-config.ldif
    dest: /etc/ldap/slapd.d/slapd-config.ldif
  when: not slapd.stat.exists

- name: activate ppolicy schema
  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
  when: not slapd.stat.exists

- name: initialize slapd if it has just been installed
  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
  when: not slapd.stat.exists

- name: "make 'ldap' an alias hostname resolvable from the LAN"
  replace:
    path: /etc/hosts
    regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
    replace: '\1	ldap'
  when: not slapd.stat.exists

- name: add URI to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "URI ldapi:///"
    insertafter: "#URI.*"

- name: add BASE to ldap.conf
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: "BASE {{ basedn }}"
    insertafter: "#BASE.*"

#######################################################################################
## Use the admin password saved to file from now on (available also after installation):
- name: slurp admin password
  slurp:
    src: "{{ ldap_admin_pwd_file }}"
  register: ldap_admin_pwd
  no_log: true

## Prepare user directories
- name: make sure we have a people entry for users
  ldap_entry:
    dn: "ou=people,{{ basedn }}"
    objectClass: organizationalUnit
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"

- name: make sure we have a group entry for users
  ldap_entry:
    dn: "ou=groups,{{ basedn }}"
    objectClass: organizationalUnit
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"

- name: add group for all ldapusers
  ldap_entry:
    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
    objectClass:
      - posixGroup
    attributes:
      gidNumber: 18000
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"

- name: provide simple script to manage ldap/kdc
  template:
    src: debian-lan.j2
    dest: /usr/local/sbin/debian-lan
    mode: 0744

## Add user
- name: add dummy user foo
  ldap_entry:
    dn: "uid=foo,ou=people,{{ basedn }}"
    objectClass:
      - inetOrgPerson
      - posixAccount
    attributes:
      cn: foo
      sn: bar
      userPassword: "{{ foo_pwd }}"
      uidNumber: 10000
      gidNumber: 10000
      homeDirectory: "{{ lan_homes }}/foo"
      loginShell: /bin/bash
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  when: foo_pwd is defined and foo_pwd | length > 0

- name: add dummy group foo
  ldap_entry:
    dn: "cn=foo,ou=groups,{{ basedn }}"
    objectClass:
      - posixGroup
    attributes:
      gidNumber: 10000
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  when: foo_pwd is defined and foo_pwd | length > 0

- name: add dummy user foo to group ldapuser
  ldap_attr:
    dn: "cn=ldapuser,ou=groups,{{ basedn }}"
    name: memberUid
    values: foo
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
  when: foo_pwd is defined and foo_pwd | length > 0

- name: allow ldap service in firewalld
  firewalld:
    zone: internal
    service: ldap
    permanent: yes
    state: enabled