ansible-collection-core/roles/podman_keycloak/tasks/ldap.yml

---
- name: Podman Keycloak | AUDIT | Wait 30 seconds for ldap server to start
  ansible.builtin.pause:
    seconds: 30

- name: Podman Keycloak | PATCH | Create ldap suffix
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - backend
      - create
      - --suffix
      - "{{ podman_keycloak_ldap_database_suffix_dn }}"
      - --be-name
      - "{{ podman_keycloak_ldap_database_backend_name }}"
      - --create-suffix
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  register: podman_keycloak_create_suffix
  ignore_errors: true
  changed_when: false
  tags:
    - ldap

- name: Podman Keycloak | AUDIT | Create suffix result (only when changed)
  ansible.builtin.debug:
    msg: "Suffix was created"
  when: not podman_keycloak_create_suffix.failed
  changed_when: not podman_keycloak_create_suffix.failed

- name: Podman Keycloak | PATCH | Create OUs
  community.general.ldap_entry:
    dn: "ou={{ item }},{{ podman_keycloak_ldap_database_suffix_dn }}"
    objectClass:
      - top
      - organizationalUnit
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  with_items:
    - Administrators
    - People
    - Groups
  environment:
    LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap

- name: Podman Keycloak | PATCH | Enable memberOf plugin
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - -D "cn=Directory Manager"
      - plugin
      - memberof
      - enable
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  tags:
    - ldap

- name: Podman Keycloak | PATCH | Disable anonymous bind
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - -D "cn=Directory Manager"
      - config
      - replace
      - nsslapd-allow-anonymous-access=off
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  tags:
    - ldap

- name: Podman Keycloak | PATCH | Create a read-only administrator
  community.general.ldap_entry:
    dn: "uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}"
    objectClass:
      - top
      - person
      - organizationalPerson
      - inetOrgPerson
    attributes:
      cn: admin
      sn: admin
      userPassword: "{{ podman_keycloak_ldap_administrator_password }}"
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  environment:
    LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap

- name: Podman Keycloak | PATCH | Apply LDAP permissions
  community.general.ldap_attrs:
    dn: "{{ podman_keycloak_ldap_database_suffix_dn }}"
    attributes:
      aci: '(target="ldap:///{{ podman_keycloak_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}";)'
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  environment:
    LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`---`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| AUDIT \| Wait 30 seconds for ldap server to start`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`ansible.builtin.pause:`
			`seconds: 30`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Create ldap suffix`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`containers.podman.podman_container_exec:`
			`name: ldap`
			`argv:`
			`- dsconf`
			`- -v`
			`- localhost`
			`- backend`
			`- create`
			`- --suffix`
			`- "{{ podman_keycloak_ldap_database_suffix_dn }}"`
			`- --be-name`
			`- "{{ podman_keycloak_ldap_database_backend_name }}"`
			`- --create-suffix`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`register: podman_keycloak_create_suffix`
			`ignore_errors: true`
			`changed_when: false`
			`tags:`
			`- ldap`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| AUDIT \| Create suffix result (only when changed)`
			`ansible.builtin.debug:`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`msg: "Suffix was created"`
			`when: not podman_keycloak_create_suffix.failed`
			`changed_when: not podman_keycloak_create_suffix.failed`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Create OUs`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`community.general.ldap_entry:`
			`dn: "ou={{ item }},{{ podman_keycloak_ldap_database_suffix_dn }}"`
			`objectClass:`
			`- top`
			`- organizationalUnit`
			`server_uri: ldaps://{{ inventory_hostname }}/`
			`bind_dn: "cn=Directory Manager"`
			`bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"`
			`delegate_to: localhost`
			`with_items:`
			`- Administrators`
			`- People`
			`- Groups`
			`environment:`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`tags: ldap`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Enable memberOf plugin`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`containers.podman.podman_container_exec:`
			`name: ldap`
			`argv:`
			`- dsconf`
			`- -v`
			`- localhost`
			`- -D "cn=Directory Manager"`
			`- plugin`
			`- memberof`
			`- enable`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`tags:`
			`- ldap`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Disable anonymous bind`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`containers.podman.podman_container_exec:`
			`name: ldap`
			`argv:`
			`- dsconf`
			`- -v`
			`- localhost`
			`- -D "cn=Directory Manager"`
			`- config`
			`- replace`
			`- nsslapd-allow-anonymous-access=off`
			`become: true`
			`become_user: "{{ podman_keycloak_podman_rootless_user }}"`
			`tags:`
			`- ldap`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Create a read-only administrator`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`community.general.ldap_entry:`
			`dn: "uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}"`
			`objectClass:`
			`- top`
			`- person`
			`- organizationalPerson`
			`- inetOrgPerson`
			`attributes:`
			`cn: admin`
			`sn: admin`
			`userPassword: "{{ podman_keycloak_ldap_administrator_password }}"`
			`server_uri: ldaps://{{ inventory_hostname }}/`
			`bind_dn: "cn=Directory Manager"`
			`bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"`
			`delegate_to: localhost`
			`environment:`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`tags: ldap`

lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`- name: Podman Keycloak \| PATCH \| Apply LDAP permissions`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`community.general.ldap_attrs:`
			`dn: "{{ podman_keycloak_ldap_database_suffix_dn }}"`
			`attributes:`
			`aci: '(target="ldap:///{{ podman_keycloak_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}";)'`
			`server_uri: ldaps://{{ inventory_hostname }}/`
			`bind_dn: "cn=Directory Manager"`
			`bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"`
			`delegate_to: localhost`
			`environment:`
lint: ansible-lint suggested updates 2025-11-01 15:07:36 +00:00			`LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"`
Initial import; migrate some roles from irl.wip 2025-10-31 22:36:32 +00:00			`tags: ldap`