- name: Ensure LDAP groups exist
  community.general.ldap_entry:
    dn: "cn={{ item.name }},ou=groups,{{ ldap_basedn }}"
    state: present
    objectClass:
      - posixGroup
    attributes:
      cn: "{{ item.name }}"
      gidNumber: "{{ item.gid }}"
  loop: "{{ ldap_groups }}"
  args:
    server_uri: "{{ ldap_uri }}"
    bind_dn: "{{ ldap_admin_dn }}"
    bind_pw: "{{ ldap_admin_pw }}"
    start_tls: yes

- name: Ensure group memberships are correct
  community.general.ldap_attrs:
    dn: "cn={{ item.name }},ou=Groups,{{ ldap_basedn }}"
    attributes:
      memberUid: "{{ item.members }}"
    state: exact
  loop: "{{ ldap_groups }}"
  when: item.members is defined and item.members | length > 0
  args:
    server_uri: "{{ ldap_uri }}"
    bind_dn: "{{ ldap_admin_dn }}"
    bind_pw: "{{ ldap_admin_pw }}"
    start_tls: yes