force starttls only

ansible/roles/openldap_server/tasks/disable_ldaps.yaml

@@ -0,0 +1,14 @@
+- name: Create systemd override directory for slapd
+  file:
+    path: /etc/systemd/system/slapd.service.d
+    state: directory
+    mode: '0755'
+
+- name: Configure slapd listeners (LDAP + LDAPI only)
+  copy:
+    dest: /etc/systemd/system/slapd.service.d/override.conf
+    mode: '0644'
+    content: |
+      [Service]
+      ExecStart=
+      ExecStart=/usr/sbin/slapd -u ldap -g ldap -h "ldap:/// ldapi:///"

ansible/roles/openldap_server/tasks/main.yaml

@@ -1,4 +1,5 @@
 - import_tasks: install.yaml
+- import_tasks: disable_ldaps.yaml
 - import_tasks: schemas.yaml
 - import_tasks: config.yaml
 - import_tasks: tls.yaml