---
- name: wait 30 seconds for ldap server to start
  ansible.builtin.pause:
    seconds: 30

- name: create ldap suffix
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - backend
      - create
      - --suffix
      - "{{ podman_keycloak_ldap_database_suffix_dn }}"
      - --be-name
      - "{{ podman_keycloak_ldap_database_backend_name }}"
      - --create-suffix
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  register: podman_keycloak_create_suffix
  ignore_errors: true
  changed_when: false
  tags:
    - ldap

- name: create suffix result (only when changed)
  debug:
    msg: "Suffix was created"
  when: not podman_keycloak_create_suffix.failed
  changed_when: not podman_keycloak_create_suffix.failed

- name: ldap organisational units
  community.general.ldap_entry:
    dn: "ou={{ item }},{{ podman_keycloak_ldap_database_suffix_dn }}"
    objectClass:
      - top
      - organizationalUnit
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  with_items:
    - Administrators
    - People
    - Groups
  environment:
    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap

- name: enable memberOf plugin
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - -D "cn=Directory Manager"
      - plugin
      - memberof
      - enable
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  tags:
    - ldap

- name: disable anonymous bind
  containers.podman.podman_container_exec:
    name: ldap
    argv:
      - dsconf
      - -v
      - localhost
      - -D "cn=Directory Manager"
      - config
      - replace
      - nsslapd-allow-anonymous-access=off
  become: true
  become_user: "{{ podman_keycloak_podman_rootless_user }}"
  tags:
    - ldap

- name: ldap read-only administrator
  community.general.ldap_entry:
    dn: "uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}"
    objectClass:
      - top
      - person
      - organizationalPerson
      - inetOrgPerson
    attributes:
      cn: admin
      sn: admin
      userPassword: "{{ podman_keycloak_ldap_administrator_password }}"
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  environment:
    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap

- name: ldap access control information
  community.general.ldap_attrs:
    dn: "{{ podman_keycloak_ldap_database_suffix_dn }}"
    attributes:
      aci: '(target="ldap:///{{ podman_keycloak_ldap_database_suffix_dn }}")(targetattr="*") (version 3.0; acl "readonly"; allow (search,read,compare) userdn="ldap:///uid=admin,ou=Administrators,{{ podman_keycloak_ldap_database_suffix_dn }}";)'
    server_uri: ldaps://{{ inventory_hostname }}/
    bind_dn: "cn=Directory Manager"
    bind_pw: "{{ podman_keycloak_ldap_directory_manager_password }}"
  delegate_to: localhost
  environment:
    - LDAPTLS_REQCERT: "{% if podman_keycloak_certbot_testing %}never{% else %}always{% endif %}"
  tags: ldap