#- name: Ensure LDAP groups exist
#  community.general.ldap_entry:
#    dn: "cn={{ item.name }},ou=groups,{{ ldap_basedn }}"
#    state: present
#    objectClass:
#      - posixGroup
#    attributes:
#      cn: "{{ item.name }}"
#      gidNumber: "{{ item.gid }}"
#  loop: "{{ ldap_groups }}"
#  args:
#    server_uri: "{{ ldap_uri }}"
#    bind_dn: "{{ ldap_admin_dn }}"
#    bind_pw: "{{ ldap_admin_pw }}"
#    start_tls: yes
#
- name: Ensure LDAP groups exist
  community.general.ldap_entry:
    dn: "cn={{ item.name }},ou=Groups,{{ ldap_basedn }}"
    state: present
    objectClass:
      - top
      - posixGroup
    attributes:
      cn: "{{ item.name }}"
      gidNumber: "{{ item.gid | int }}"
  loop: "{{ ldap_groups }}"
  args:
    server_uri: "{{ ldap_uri }}"
    bind_dn: "{{ ldap_admin_dn }}"
    bind_pw: "{{ ldap_admin_pw }}"
    start_tls: yes

- name: Ensure group memberships are correct
  community.general.ldap_attrs:
    dn: "cn={{ item.name }},ou=Groups,{{ ldap_basedn }}"
    attributes:
      memberUid: "{{ item.members }}"
    state: exact
  loop: "{{ ldap_groups }}"
  when: item.members is defined and item.members | length > 0
  args:
    server_uri: "{{ ldap_uri }}"
    bind_dn: "{{ ldap_admin_dn }}"
    bind_pw: "{{ ldap_admin_pw }}"
    start_tls: yes