- name: Copy TLS cert into place
  copy:
    src: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
    dest: /etc/openldap/certs/ldap.crt
    owner: ldap
    group: ldap
    mode: 0600
    remote_src: true

- name: Copy cert private key into place
  copy:
    src: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.key"
    dest: /etc/openldap/certs/ldap.key
    owner: ldap
    group: ldap
    mode: 0600
    remote_src: true

- name: Configure TLS cert
  community.general.ldap_attrs:
    dn: cn=config
    state: present
    attributes:
      olcTLSCertificateFile: "{{ ldap_cert_path }}"
      olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
      olcTLSProtocolMin: "3.3"    # TLS 1.2+
      olcTLSCipherSuite: HIGH:!aNULL:!MD5
  args:
    server_uri: ldapi:///
    sasl_class: external

- name: Require TLS
  community.general.ldap_attrs:
    dn: olcDatabase={2}mdb,cn=config
    state: present
    attributes:
      olcSecurity: tls=1
  args:
    server_uri: ldapi:///
    sasl_class: external