From efdafe72bb13fc7ab8df2a657494ed6b9a6652c2 Mon Sep 17 00:00:00 2001
From: Jonathan DeMasi <jrdemasi@gmail.com>
Date: Sat, 24 Jan 2026 17:52:16 -0700
Subject: [PATCH] add group membership check separately

---
 .../roles/openldap_directory/tasks/groups.yaml    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ansible/roles/openldap_directory/tasks/groups.yaml b/ansible/roles/openldap_directory/tasks/groups.yaml
index 2089255..115620c 100644
--- a/ansible/roles/openldap_directory/tasks/groups.yaml
+++ b/ansible/roles/openldap_directory/tasks/groups.yaml
@@ -13,3 +13,18 @@
     bind_dn: "{{ ldap_admin_dn }}"
     bind_pw: "{{ ldap_admin_pw }}"
     start_tls: yes
+
+- name: Ensure group memberships are correct
+  community.general.ldap_attrs:
+    dn: "cn={{ item.name }},ou=Groups,{{ ldap_basedn }}"
+    attributes:
+      memberUid: "{{ item.members }}"
+    state: exact
+  loop: "{{ ldap_groups }}"
+  when: item.members is defined and item.members | length > 0
+  args:
+    server_uri: "{{ ldap_uri }}"
+    bind_dn: "{{ ldap_admin_dn }}"
+    bind_pw: "{{ ldap_admin_pw }}"
+    start_tls: yes
+