From a9e6e8dcdaa4e03a9807238f6d70e71383c0ad53 Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <jrdemasi@gmail.com>
Date: Sat, 24 Jan 2026 20:24:12 -0700
Subject: [PATCH] render ldifs

---
 .../tasks/templates/user.ldif.j2              | 20 +++++++++++++++++++
 .../roles/openldap_directory/tasks/users.yaml |  9 +++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 ansible/roles/openldap_directory/tasks/templates/user.ldif.j2

diff --git a/ansible/roles/openldap_directory/tasks/templates/user.ldif.j2 b/ansible/roles/openldap_directory/tasks/templates/user.ldif.j2
new file mode 100644
index 0000000..e4ead8c
--- /dev/null
+++ b/ansible/roles/openldap_directory/tasks/templates/user.ldif.j2
@@ -0,0 +1,20 @@
+dn: uid={{ user.uid }},ou=People,{{ ldap_basedn }}
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: ldapPublicKey
+
+uid: {{ user.uid }}
+cn: {{ user.cn }}
+sn: {{ user.sn }}
+uidNumber: {{ user.uidNumber }}
+gidNumber: {{ user.gidNumber }}
+homeDirectory: /home/{{ user.uid }}
+loginShell: {{ user.shell | default('/bin/bash') }}
+{% if user.ssh_keys is defined %}
+{% for key in user.ssh_keys %}
+sshPublicKey: {{ key }}
+{% endfor %}
+{% endif %}
+
diff --git a/ansible/roles/openldap_directory/tasks/users.yaml b/ansible/roles/openldap_directory/tasks/users.yaml
index 1aad6d6..09303aa 100644
--- a/ansible/roles/openldap_directory/tasks/users.yaml
+++ b/ansible/roles/openldap_directory/tasks/users.yaml
@@ -1,3 +1,12 @@
+- name: Render user LDIFs
+  ansible.builtin.template:
+    src: user.ldif.j2
+    dest: "/tmp/ldap-user-{{ item.uid }}.ldif"
+    mode: '0600'
+  loop: "{{ ldap_users }}"
+  loop_control:
+    loop_var: user
+
 - name: Ensure users exist
   community.general.ldap_entry:
     dn: "uid={{ item.uid }},{{ ldap_people_ou }}"