---

- name: Set domain for slapd
  debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}"

- name: Set organisation for slapd
  debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_organization }}"

- name: Install slapd
  apt: name=slapd state=installed

- name: Allow OpenLDAP user to traverse the directory with TLS private keys
  user: name=openldap append=yes groups=ssl-cert
  register: openldap_in_ssl_cert

- name: Restart slapd if group membership has changed
  service: name=slapd state=restarted
  when: openldap_in_ssl_cert.changed

- name: Install Python LDAP bindings
  apt: name=python-ldap state=installed

- name: Enable slapd service on boot (workaround for systemctl broken handling of SysV)
  command: rcconf -on slapd
  register: result
  changed_when: result.stderr == ""

- name: Enable slapd service
  service: name=slapd state=started

- name: Deploy system logger configuration file for slapd
  copy: src=slapd_rsyslog.conf dest=/etc/rsyslog.d/slapd.conf owner=root group=root mode=0644
  notify:
    - Restart rsyslog

- name: Deploy configuration file for log rotation of slapd logs
  copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644

- name: Change log level for slapd
  ldap_entry: dn=cn=config state=replace olcLogLevel="{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied
  command: ldapsearch -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn
  register: ldap_misc_schema_present
  changed_when: false

- name: Deploy LDAP misc schema
  command: ldapadd -Y EXTERNAL -f /etc/ldap/schema/misc.ldif
  when: ldap_misc_schema_present.stdout == ""

- name: Deploy LDAP TLS private key
  copy: dest="/etc/ssl/private/{{ ldap_server_tls_key | basename }}" src="{{ ldap_server_tls_key }}"
        mode=640 owner=root group=openldap
  notify:
    - Restart slapd

- name: Deploy LDAP TLS certificate
  copy: dest="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" src="{{ ldap_server_tls_certificate }}"
        mode=644 owner=root group=root
  notify:
    - Restart slapd

- name: Configure TLS for slapd (includes hardening)
  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
              olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
  notify:
    - Restart slapd

- name: Configure SSF
  ldap_entry: dn=cn=config state=replace olcSecurity=ssf="{{ ldap_server_ssf }}" olcLocalSSF="{{ ldap_server_ssf }}"

- name: Enable the memberof module
  ldap_entry: dn="cn=module{0},cn=config" state=append olcModuleLoad="{1}memberof"

- name: Enable the memberof overlay for database
  ldap_entry:
    dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
    objectClass:
      - olcConfig
      - olcMemberOf
      - olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: "TRUE"
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember

- name: Apply database permissions
  ldap_permissions:
    filter: "(olcSuffix={{ ldap_server_int_basedn }})"
    rules: "{{ ldap_permissions }}"

- name: Create basic LDAP directory structure
  ldap_entry: ""
  args:
    dn: "ou={{ item }},{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    ou: "{{ item }}"
  with_items:
    - people
    - groups
    - services

- name: Create the entry that will contain mail service information
  ldap_entry: ""
  args:
    dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: mail

- name: Create LDAP directory structure for mail service
  ldap_entry: ""
  args:
    dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: "{{ item }}"
  with_items:
    - domains
    - aliases

- name: Create or remove login entries for services
  ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - applicationProcess
      - simpleSecurityObject
    cn: "{{ item.name }}"
    userPassword: "{{ item.password }}"
    state: "{{ item.state | default('present') }}"
  with_items: ldap_server_consumers

- name: Create or remove user-supplied groups
  ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}"
    objectClass: groupOfUniqueNames
    cn: "{{ item.name }}"
    uniqueMember: "cn=NONE"
    state: "{{ item.state | default('append') }}"
  with_items: ldap_server_groups

- name: Create user-supplied LDAP entries
  ldap_entry: ""
  args: "{{ item }}"
  with_items: ldap_entries

- name: Deploy firewall configuration for LDAP
  copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Deploy temporary file with LDAP admin password
  template: src="ldap_admin_password.j2" dest="/root/.ldap_admin_password"
            owner=root group=root mode=400
  changed_when: False

- name: Test if LDAP admin password needs to be changed
  command: ldapwhoami -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password
  register: ldap_admin_password_check
  changed_when: ldap_admin_password_check.rc != 0
  failed_when: False

- name: Update LDAP admin password
  command: ldappasswd -Y EXTERNAL -H ldapi:/// "cn=admin,{{ ldap_server_int_basedn }}" -T /root/.ldap_admin_password
  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password
  file: path="/root/.ldap_admin_password" state=absent
  changed_when: False

- name: Enable backup
  include: backup.yml
  when: enable_backup