add hashed ldap manager pw

ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml

@@ -1,5 +1,7 @@
 root_pw: "{{ lookup('bitwarden.secrets.lookup', '64a96d82-179b-41af-898d-b3dc014f44a0') }}" 
 
+ldap_manager_pw_hash: "{{ lookup('bitwarden.secrets.lookup', '32654697-7172-4fe3-9767-b3dc015ddd34') }}" 
+
 letsencrypt_email: "me@jthan.io"
 linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}" 
 

ansible/roles/openldap_server/defaults/main.yaml

@@ -6,3 +6,6 @@ ldap_bind_dn: cn=binduser,{{ ldap_basedn }}
 
 ldap_cert_path: /etc/openldap/certs/ldap.crt
 ldap_key_path: /etc/openldap/certs/ldap.key
+
+ldap_directory_manager_dn: "cn=Manager,{{ ldap_basedn }}"
+ldap_directory_manager_pw_hash: "{{ ldap_manager_pw_hash }}"

ansible/roles/openldap_server/tasks/find_database.yaml

@@ -0,0 +1,10 @@
+- name: Find main LDAP database DN
+  ansible.builtin.command: >
+    ldapsearch -Y EXTERNAL -H ldapi:/// \
+    -b cn=config '(olcSuffix={{ ldap_basedn }})' dn
+  register: ldap_db_dn
+  changed_when: false
+
+- name: Set fact for main database DN
+  ansible.builtin.set_fact:
+    ldap_main_db_dn: "{{ ldap_db_dn.stdout_lines | select('match','^dn:') | first | regex_replace('^dn: ','') }}"

ansible/roles/openldap_server/tasks/main.yaml

@@ -2,5 +2,7 @@
 - import_tasks: disable_ldaps.yaml
 #- import_tasks: schemas.yaml
 - import_tasks: config.yaml
+- import_tasks: find_database.yml
+- import_tasks: manager.yml
 - import_tasks: tls.yaml
 - import_tasks: acls.yaml

ansible/roles/openldap_server/tasks/manager.yaml

@@ -0,0 +1,11 @@
+- name: Set directory Manager DN and password
+  community.general.ldap_attrs:
+    dn: "{{ ldap_main_db_dn }}"
+    attributes:
+      olcRootDN: "{{ ldap_directory_manager_dn }}"
+      olcRootPW: "{{ ldap_directory_manager_pw_hash }}"
+    state: exact
+  args:
+    server_uri: ldapi:///
+    bind_dn: cn=admin,cn=config
+    sasl_class: external