---
- name: install packages
  package:
    name: "{{ item }}"
    state: installed
  with_items:
    - cyrus-sasl-gssapi
    - openldap-servers
    - ldapvi

- name: fix selinux context from ldap data diretory
  sefcontext:
    path: "{{ ldap_datadir }}(/.*)?"
    setype: slapd_db_t
- name: create ldap data directory
  file:
    path: "{{ ldap_datadir }}"
    state: directory
    mode: 0700
    owner: ldap
    group: ldap
    seuser: _default
    setype: _default
- name: link ldap data directory
  file:
    path: /srv/ldap
    src: /export/ldap
    state: link
    owner: root
    group: root
    follow: false
  when: ldap_datadir != "/srv/ldap"

- block:
    - name: create backup directory
      file:
        path: /export/backup
        state: directory
        mode: 0750
        owner: ldap
        group: ldap
    - name: link backup directory
      file:
        path: /srv/backup
        src: /export/backup
        state: link
        owner: root
        group: "{{ ansible_wheel }}"
        follow: false
    - name: copy backup script
      copy:
        dest: /usr/local/sbin/ldap-backup
        src: ldap-backup.sh
        mode: 0755
        owner: root
        group: "{{ ansible_wheel }}"
    - name: create backup cron job
      cron:
        name: ldap-backup
        job: /usr/local/sbin/ldap-backup
        hour: "0"
        minute: "10"
        user: ldap

    - name: copy spn helper script
      copy:
        dest: /usr/local/sbin/ldapspn
        src: ldapspn.py
        mode: 0755
        owner: root
        group: "{{ ansible_wheel }}"
  when: ldap_master is defined

- name: remove nss cert databases
  file:
    path: "/etc/openldap/certs/{{ item }}"
    state: absent
  with_items:
    - cert8.db
    - key3.db
    - password
    - secmod.db

- name: copy ldap server certificates
  copy:
    dest: "{{ tls_certs }}/{{ ldap_server_cert }}.crt"
    src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/cert.pem"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  tags: certificates
  notify: restart slapd
- name: copy ldap server key
  copy:
    dest: "{{ tls_private }}/{{ ldap_server_cert }}.key"
    src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/privkey.pem"
    mode: 0640
    owner: root
    group: ldap
  tags: certificates
  notify: restart slapd
- name: copy ldap server certificate chain
  copy:
    dest: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt"
    src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  tags: certificates
  notify: restart slapd
- name: get ldap server chain hash
  command: "openssl x509 -in /srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem -noout -hash"
  delegate_to: localhost
  register: result
  changed_when: false
  tags: certificates
- name: link server chain certificate
  file:
    path: "/etc/openldap/certs/{{ result.stdout }}.0"
    src: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt"
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false
    state: link
  tags: certificates
- name: link local ca certificate
  file:
    path: "/etc/openldap/certs/{{ pki_cacert_hash }}.0"
    src: "{{ tls_certs }}/ca.crt"
    owner: root
    group: "{{ ansible_wheel }}"
    follow: false
    state: link

- name: create slapd sysconfig  file
  copy:
    dest: /etc/sysconfig/slapd
    src: slapd.sysconfig
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  notify: restart slapd

- name: add custom schema files
  copy:
    dest: "/etc/openldap/schema/{{ item }}"
    src: "{{ item }}"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  with_items:
    - kerberos.schema         # centos krb5-server-ldap 1.15.1
    - openssh-lpk.schema      # via google, no original source found
    - rfc2307bis.schema       # rfc2307bis version 2
    - samba.schema            # centos samba 4.8.3
  notify: restart slapd

- name: copy check password config
  copy:
    dest: /etc/openldap/check_password.conf
    src: check_password.conf
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: create slapd main config
  template:
    dest: /etc/openldap/slapd.conf
    src: slapd.conf.j2
    mode: 0640
    owner: root
    group: ldap
  notify: restart slapd

- name: add ldap aliases for root
  blockinfile:
    path: /root/.bash_profile
    block: |
      # use slapd.conf by default for slap commands
      alias slapadd='echo "run as user ldap"'
      alias slapcat='slapcat -f /etc/openldap/slapd.conf'
      alias slapindex='echo "run as user ldap"'
      alias slaptest='slaptest -f /etc/openldap/slapd.conf'
      # ldapvi connects automatically via socket
      alias ldapvi='ldapvi -h ldapi:/// -Y EXTERNAL'

- name: enable slapd service
  service:
    name: slapd
    state: started
    enabled: true

- name: copy slapd keytab
  copy:
    dest: /etc/openldap/slapd.keytab
    src: "{{ ansible_private }}/files/keytabs/slapd.keytab"
    mode: 0640
    owner: root
    group: ldap