From 2b1a5ee3f934f3699979322b2fe15816c55a0d54 Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <me@jthan.io>
Date: Fri, 23 Jan 2026 19:00:40 -0700
Subject: [PATCH] force starttls only

---
 .../roles/openldap_server/tasks/disable_ldaps.yaml | 14 ++++++++++++++
 ansible/roles/openldap_server/tasks/main.yaml      |  1 +
 2 files changed, 15 insertions(+)
 create mode 100644 ansible/roles/openldap_server/tasks/disable_ldaps.yaml

diff --git a/ansible/roles/openldap_server/tasks/disable_ldaps.yaml b/ansible/roles/openldap_server/tasks/disable_ldaps.yaml
new file mode 100644
index 0000000..1f1452d
--- /dev/null
+++ b/ansible/roles/openldap_server/tasks/disable_ldaps.yaml
@@ -0,0 +1,14 @@
+- name: Create systemd override directory for slapd
+  file:
+    path: /etc/systemd/system/slapd.service.d
+    state: directory
+    mode: '0755'
+
+- name: Configure slapd listeners (LDAP + LDAPI only)
+  copy:
+    dest: /etc/systemd/system/slapd.service.d/override.conf
+    mode: '0644'
+    content: |
+      [Service]
+      ExecStart=
+      ExecStart=/usr/sbin/slapd -u ldap -g ldap -h "ldap:/// ldapi:///"
diff --git a/ansible/roles/openldap_server/tasks/main.yaml b/ansible/roles/openldap_server/tasks/main.yaml
index 757a988..e88b8af 100644
--- a/ansible/roles/openldap_server/tasks/main.yaml
+++ b/ansible/roles/openldap_server/tasks/main.yaml
@@ -1,4 +1,5 @@
 - import_tasks: install.yaml
+- import_tasks: disable_ldaps.yaml
 - import_tasks: schemas.yaml
 - import_tasks: config.yaml
 - import_tasks: tls.yaml