svc-db-openldap: make LDIF import idempotent, unify container var, and tidy role

- Add handlers/main.yml to load memberof/refint modules and import groups via docker exec
- Use OPENLDAP_CONTAINER consistently (replace OPENLDAP_NAME)
- Rename tasks/ldifs_creation.yml -> tasks/_ldifs_creation.yml and update includes
- Drop default param from get_app_conf calls; add explicit meta: flush_handlers
- docker-compose: honor OPENLDAP_NETWORK_EXPOSE_LOCAL | bool; minor formatting
- env template: formatting/comments consistency
- Remove unused 01_rbac_group.ldif.j2; rename 02_rbac_roles -> 01_rbac_roles and fix filter to LDAP
- vars: rename OPENLDAP_NAME -> OPENLDAP_CONTAINER; prune LDIF schema type

Conversation: https://chatgpt.com/share/68d1d25d-e788-800f-bfb6-13b1f5bc6121

roles/svc-db-openldap/handlers/main.yml

@@ -0,0 +1,40 @@
+- name: Load memberof module from file in OpenLDAP container
+  shell: >
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// -f "{{ [OPENLDAP_LDIF_PATH_DOCKER, 'configuration/01_member_of_configuration.ldif' ] | path_join }}"
+  listen:
+    - "Import configuration LDIF files"
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
+
+- name: Refint Module Activation for OpenLDAP
+  shell: >
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'configuration/02_member_of_configuration.ldif' ] | path_join }}"
+  listen:
+    - "Import configuration LDIF files"
+  register: ldapadd_result
+  failed_when: ldapadd_result.rc not in [0, 68]
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
+
+- name: Refint Overlay Configuration for OpenLDAP
+  shell: >
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'configuration/03_member_of_configuration.ldif' ] | path_join }}"
+  listen:
+    - "Import configuration LDIF files"
+  register: ldapadd_result
+  failed_when: ldapadd_result.rc not in [0, 68]
+  # @todo Remove the following ignore errors when setting up a new server
+  # Just here because debugging would take to much time
+  ignore_errors: true
+
+- name: "Import users, groups, etc. to LDAP"
+  shell: >
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapadd -x -D "{{ LDAP.DN.ADMINISTRATOR.DATA }}" -w "{{ LDAP.BIND_CREDENTIAL }}" -c -f "{{ [ OPENLDAP_LDIF_PATH_DOCKER, 'groups', (item | basename | regex_replace('\.j2$', '')) ] | path_join }}"
+  register: ldapadd_result
+  changed_when: "'adding new entry' in ldapadd_result.stdout"
+  failed_when: ldapadd_result.rc not in [0, 20, 68, 65]
+  listen:
+    - "Import groups LDIF files"
+  loop: "{{ query('fileglob', role_path ~ '/templates/ldif/groups/*.j2') | sort }}"

roles/svc-db-openldap/tasks/01_credentials.yml

@@ -3,7 +3,7 @@
 
 - name: "Query available LDAP databases"
   shell: |
-    docker exec {{ OPENLDAP_NAME }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
       ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
   register: ldap_databases
 
@@ -27,13 +27,13 @@
 
 - name: "Generate hash for Database Admin password"
   shell: |
-    docker exec {{ OPENLDAP_NAME }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
       slappasswd -s "{{ LDAP.BIND_CREDENTIAL }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ OPENLDAP_NAME }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ data_backend_dn }}
     changetype: modify
     replace: olcRootPW
@@ -42,13 +42,13 @@
 
 - name: "Generate hash for Configuration Admin password"
   shell: |
-    docker exec {{ OPENLDAP_NAME }} \
+    docker exec {{ OPENLDAP_CONTAINER }} \
       slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
   register: config_admin_pw_hash
 
 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ OPENLDAP_NAME }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_CONTAINER }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ config_backend_dn }}
     changetype: modify
     replace: olcRootPW

roles/svc-db-openldap/tasks/main.yml

@@ -38,7 +38,7 @@
   include_tasks: 01_credentials.yml
   when:
     - OPENLDAP_NETWORK_SWITCH_LOCAL | bool
-    - applications | get_app_conf(application_id, 'provisioning.credentials', True)
+    - applications | get_app_conf(application_id, 'provisioning.credentials')
 
 - name: "create directory {{ OPENLDAP_LDIF_PATH_HOST }}{{ item }}"
   file:
@@ -48,12 +48,12 @@
   loop: "{{ OPENLDAP_LDIF_TYPES }}"
 
 - name: "Import LDIF Configuration"
-  include_tasks: ldifs_creation.yml
+  include_tasks: _ldifs_creation.yml
   loop:
     - configuration
   loop_control:
     loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.configuration', True)
+  when: applications | get_app_conf(application_id, 'provisioning.configuration')
 
 - name: flush LDIF handlers
   meta: flush_handlers
@@ -66,20 +66,22 @@
 
 - name: "Include Schemas (if enabled)"
   include_tasks: 02_schemas.yml
-  when: applications | get_app_conf(application_id, 'provisioning.schemas', True)
+  when: applications | get_app_conf(application_id, 'provisioning.schemas')
 
 - name: "Import LDAP Entries (if enabled)"
   include_tasks: 03_users.yml
-  when: applications | get_app_conf(application_id, 'provisioning.users', True)
+  when: applications | get_app_conf(application_id, 'provisioning.users')
 
 - name: "Import LDIF Data (if enabled)"
-  include_tasks: ldifs_creation.yml
+  include_tasks: _ldifs_creation.yml
   loop:
     - groups
   loop_control:
     loop_var: folder
-  when: applications | get_app_conf(application_id, 'provisioning.groups', True)
+  when: applications | get_app_conf(application_id, 'provisioning.groups')
+
+- meta: flush_handlers
 
 - name: "Add Objects to all users"
   include_tasks: 04_update.yml
-  when: applications | get_app_conf(application_id, 'provisioning.update', True)
+  when: applications | get_app_conf(application_id, 'provisioning.update')

roles/svc-db-openldap/templates/docker-compose.yml.j2

@@ -2,9 +2,9 @@
 
   application:
     image: "{{ OPENLDAP_IMAGE }}:{{ OPENLDAP_VERSION }}"
-    container_name: "{{ OPENLDAP_NAME }}"
+    container_name: "{{ OPENLDAP_CONTAINER }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if OPENLDAP_NETWORK_EXPOSE_LOCAL %}
+{% if OPENLDAP_NETWORK_EXPOSE_LOCAL | bool %}
     ports:
       - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ OPENLDAP_DOCKER_PORT_OPEN }}
 {% endif %}

roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2

@@ -1,30 +0,0 @@
-{# 
-@todo: activate
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
-
-dn: {{ dn }}
-{% for oc in entry.objectClass %}
-objectClass: {{ oc }}
-{% endfor %}
-{% if entry.ou is defined %}
-ou: {{ entry.ou }}
-{% else %}
-cn: {{ entry.cn }}
-{% endif %}
-{% if entry.gidNumber is defined %}
-gidNumber: {{ entry.gidNumber }}
-{% endif %}
-description: {{ entry.description }}
-{% if entry.memberUid is defined %}
-{% for uid in entry.memberUid %}
-memberUid: {{ uid }}
-{% endfor %}
-{% endif %}
-{% if entry.member is defined %}
-{% for m in entry.member %}
-member: {{ m }}
-{% endfor %}
-{% endif %}
-
-{% endfor %}
-#}

roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2

@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(users, ldap)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(users, LDAP)).items() %}
 
 dn: {{ dn }}
 {% for oc in entry.objectClass %}

roles/svc-db-openldap/vars/main.yml

@@ -13,10 +13,9 @@ OPENLDAP_LDIF_PATH_DOCKER:      "/tmp/ldif/"
 OPENLDAP_LDIF_TYPES:
   - configuration
   - groups
-  - schema                      # Don't know if this is still needed, it's now setup via tasks
 
 # Container
-OPENLDAP_NAME:                  "{{ applications | get_app_conf(application_id, 'docker.services.openldap.name') }}"
+OPENLDAP_CONTAINER:             "{{ applications | get_app_conf(application_id, 'docker.services.openldap.name') }}"
 OPENLDAP_IMAGE:                 "{{ applications | get_app_conf(application_id, 'docker.services.openldap.image') }}"
 OPENLDAP_VERSION:               "{{ applications | get_app_conf(application_id, 'docker.services.openldap.version') }}"
 OPENLDAP_VOLUME:                "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"