ansible-roles/ldap/tasks/ldapvirc.yml

---

- name: "Is /root/.ldapvirc present ?"
  ansible.builtin.stat:
    path: /root/.ldapvirc
  check_mode: no
  register: root_ldapvirc_path

- name: Warning when ldapvirc file is present and ldap_admin_password is given
  ansible.builtin.debug:
    msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated."
  when:
    - ldap_admin_password | length > 0
    - root_ldapvirc_path.stat.exists

# Generate ldap password if none is given and ldapvirc is absent
- name: apg package is installed
  ansible.builtin.apt:
    name: apg
    state: present
  when: not root_ldapvirc_path.stat.exists

- name: create a password for cn=admin
  ansible.builtin.command:
    cmd: "apg -n 1 -m 16 -M lcN"
  register: new_ldap_admin_password
  changed_when: False
  when:
    - ldap_admin_password | length == 0
    - not root_ldapvirc_path.stat.exists

# Use the generated password or the one found in the file
- name: overwrite ldap_admin_password
  ansible.builtin.set_fact:
    ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"
  when:
    - ldap_admin_password | length == 0
    - not root_ldapvirc_path.stat.exists

- name: hash password for cn=admin
  ansible.builtin.command:
    cmd: "slappasswd -s {{ ldap_admin_password }}"
  register: ldap_admin_password_ssha
  changed_when: False
  when: not root_ldapvirc_path.stat.exists

- name: create ldapvirc config
  ansible.builtin.template:
    src: ldapvirc.j2
    dest: /root/.ldapvirc
    mode: "0640"
  when: not root_ldapvirc_path.stat.exists

# Read ldap password when none is given and ldapvirc is present
- name: read ldap admin password from ldapvirc file
  ansible.builtin.shell:
    cmd: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'"
  changed_when: False
  check_mode: no
  register: new_ldap_admin_password

# Use the password found in the file
- name: overwrite ldap_admin_password
  ansible.builtin.set_fact:
    ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"