rework schemas

ansible/roles/openldap_server/tasks/schemas.yaml

@@ -1,39 +1,50 @@
-- name: List existing schemas
-  command: >
-    ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
-  register: ldap_schemas
-  changed_when: false
+---
+# roles/ldap_server/tasks/schemas.yml
+- name: Ensure LDAP core schema is loaded
+  ansible.builtin.command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/core.ldif
+  args:
+    creates: /etc/openldap/schema/.core_loaded
 
-- name: Copy a configuration file to the destination
-  ansible.builtin.copy:
-    src: files/openssh-lpk.ldif
-    dest: /etc/openldap/schema/openssh-lpk.ldif
-    owner: ldap               
-    group: ldap              
-    mode: '0600'       
+- name: Ensure LDAP cosine schema is loaded
+  ansible.builtin.command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
+  args:
+    creates: /etc/openldap/schema/.cosine_loaded
 
-#- name: Load cosine schema
-#  command: >
-#    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
-#  when: "'cn=cosine,cn=schema,cn=config' not in ldap_schemas.stdout"
-#
-#- name: Load inetorgperson schema
-#  command: >
-#    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
-#  when: "'cn=inetorgperson,cn=schema,cn=config' not in ldap_schemas.stdout"
-#
-#- name: Load nis schema
-#  command: >
-#    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
-#  when: "'cn=nis,cn=schema,cn=config' not in ldap_schemas.stdout"
+- name: Ensure LDAP inetorgperson schema is loaded
+  ansible.builtin.command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
+  args:
+    creates: /etc/openldap/schema/.inetorgperson_loaded
 
-#- name: Load sudo schema
-#  command: >
-#    ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/sudo/schema.OpenLDAP
-#  when: "'cn=sudo,cn=schema,cn=config' not in ldap_schemas.stdout"
-#
-- name: Load OpenSSH public key schema
-  command: >
-    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openssh-lpk.ldif
-  when: "'cn=openssh-lpk,cn=schema,cn=config' not in ldap_schemas.stdout"
+- name: Ensure LDAP nis schema is loaded
+  ansible.builtin.command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
+  args:
+    creates: /etc/openldap/schema/.nis_loaded
+
+- name: Ensure custom LDAP schemas (sudo + openssh) are loaded
+  ansible.builtin.command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f {{ item.file }}
+  args:
+    creates: "/etc/openldap/schema/.{{ item.name }}_loaded"
+  loop:
+    - { name: "sudo", file: "{{ playbook_dir }}/roles/ldap_server/files/sudo.ldif" }
+    - { name: "openssh", file: "{{ playbook_dir }}/roles/ldap_server/files/openssh.ldif" }
+  loop_control:
+    label: "{{ item.name }}"
+
+# Touch marker files for idempotency (optional but recommended)
+- name: Ensure marker files exist
+  ansible.builtin.file:
+    path: "/etc/openldap/schema/.{{ item.name }}_loaded"
+    state: touch
+  loop:
+    - { name: "core" }
+    - { name: "cosine" }
+    - { name: "inetorgperson" }
+    - { name: "nis" }
+    - { name: "sudo" }
+    - { name: "openssh" }