---

- name: Set domain for slapd
  debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_config.domain }}"

- name: Set organisation for slapd
  debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_config.organization }}"

- name: Install slapd
  apt: name=slapd state=installed

- name: Allow OpenLDAP user to traverse the directory with TLS private keys
  user: name=openldap append=yes groups=ssl-cert
  register: openldap_in_ssl_cert

- name: Restart slapd if group membership has changed
  service: name=slapd state=restarted
  when: openldap_in_ssl_cert.changed

- name: Install Python LDAP bindings
  apt: name=python-ldap state=installed

- name: Enable slapd service
  service: name=slapd enabled=yes state=started

- name: Deploy system logger configuration file for slapd
  copy: src=slapd_rsyslog.conf dest=/etc/rsyslog.d/slapd.conf owner=root group=root mode=0644
  notify:
    - Restart rsyslog

- name: Deploy configuration file for log rotation of slapd logs
  copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644

- name: Change log level for slapd
  ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_config.log_level }}"

- name: Deploy LDAP TLS private key
  copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}"
        mode=640 owner=root group=openldap
  notify:
    - Restart slapd

- name: Deploy LDAP TLS certificate
  copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}"
        mode=644 owner=root group=root
  notify:
    - Restart slapd

- name: Configure TLS for slapd
  ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}"
  notify:
    - Restart slapd

- name: Configure SSF
  ldap_entry: dn=cn=config state=replaceattributes olcSecurity=ssf="{{ ldap_server_config.ssf }}" olcLocalSSF="{{ ldap_server_config.ssf }}"

- name: Enable the memberof module
  ldap_entry: dn="cn=module{0},cn=config" state=addattributes olcModuleLoad="{1}memberof"

- name: Enable the memberof overlay for database
  ldap_entry:
    dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
    objectClass:
      - olcConfig
      - olcMemberOf
      - olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: "TRUE"
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember

- name: Apply database permissions
  ldap_permissions:
    filter: "{{ item.filter }}"
    rules: "{{ item.rules }}"
  with_items: ldap_permissions

- name: Create LDAP entries
  ldap_entry: ""
  args: "{{ item }}"
  with_items: ldap_entries

- name: Deploy firewall configuration for LDAP
  copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640
  notify:
    - Restart ferm