From 732607bbb6fbb8430234f0809bc09c9070f3bacf Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Mon, 14 Jul 2025 08:45:53 +0200
Subject: [PATCH] Added provisioning switches for openldap to improve
 performance

---
 roles/svc-db-openldap/config/main.yml             | 14 ++++++++------
 .../tasks/{03_entries.yml => 03_users.yml}        |  0
 .../tasks/{04_user_updates.yml => 04_update.yml}  |  0
 roles/svc-db-openldap/tasks/main.yml              | 15 +++++++++++----
 .../ldif/{data => groups}/01_rbac_group.ldif.j2   |  0
 .../ldif/{data => groups}/02_rbac_roles.ldif.j2   |  0
 .../templates/ldif/{data => groups}/README.md     |  0
 7 files changed, 19 insertions(+), 10 deletions(-)
 rename roles/svc-db-openldap/tasks/{03_entries.yml => 03_users.yml} (100%)
 rename roles/svc-db-openldap/tasks/{04_user_updates.yml => 04_update.yml} (100%)
 rename roles/svc-db-openldap/templates/ldif/{data => groups}/01_rbac_group.ldif.j2 (100%)
 rename roles/svc-db-openldap/templates/ldif/{data => groups}/02_rbac_roles.ldif.j2 (100%)
 rename roles/svc-db-openldap/templates/ldif/{data => groups}/README.md (100%)

diff --git a/roles/svc-db-openldap/config/main.yml b/roles/svc-db-openldap/config/main.yml
index 0fc19e75..1b3985d8 100644
--- a/roles/svc-db-openldap/config/main.yml
+++ b/roles/svc-db-openldap/config/main.yml
@@ -9,10 +9,12 @@ images:
 webinterface:     "lam"                               # The webinterface which should be used. Possible: lam and phpldapadmin
 features:
   ldap:           true
-import:           
-# Here it's possible to define what can be imported. 
+provisioning:           
+# Here it's possible to define what should be imported and updated.
 # It doesn't make sense to let  the import run everytime because its very time consuming
-  credentials:    true 
-  schemas:        true 
-  entries:        true 
-  users:          true
+  configuration:  true # E.g. MemberOf and Hashed Password Configuration
+  credentials:    true # Administrator Password
+  schemas:        true # E.g. Nextcloud, Openssl
+  users:          true # E.g. User, group and role entries
+  groups:         true # Roles and Groups import
+  update:         true # User Class updates
diff --git a/roles/svc-db-openldap/tasks/03_entries.yml b/roles/svc-db-openldap/tasks/03_users.yml
similarity index 100%
rename from roles/svc-db-openldap/tasks/03_entries.yml
rename to roles/svc-db-openldap/tasks/03_users.yml
diff --git a/roles/svc-db-openldap/tasks/04_user_updates.yml b/roles/svc-db-openldap/tasks/04_update.yml
similarity index 100%
rename from roles/svc-db-openldap/tasks/04_user_updates.yml
rename to roles/svc-db-openldap/tasks/04_update.yml
diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml
index b7212ad3..d0b12f3e 100644
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -36,7 +36,9 @@
 
 - name: "Reset LDAP Credentials"
   include_tasks: 01_credentials.yml
-  when: applications | get_app_conf(application_id, 'network.local', True)
+  when:
+    - applications | get_app_conf(application_id, 'network.local', True)
+    - applications | get_app_conf(application_id, 'provisioning.credentials', True)
 
 - name: "create directory {{ldif_host_path}}{{item}}"
   file:
@@ -51,6 +53,7 @@
     - configuration
   loop_control:
     loop_var: folder
+  when: applications | get_app_conf(application_id, 'provisioning.configuration', True)
 
 - name: flush LDIF handlers
   meta: flush_handlers
@@ -63,16 +66,20 @@
 
 - name: "Include Schemas (if enabled)"
   include_tasks: 02_schemas.yml
+  when: applications | get_app_conf(application_id, 'provisioning.schemas', True)
 
 - name: "Import LDAP Entries (if enabled)"
-  include_tasks: 03_entries.yml
+  include_tasks: 03_users.yml
+  when: applications | get_app_conf(application_id, 'provisioning.users', True)
 
 - name: "Import LDIF Data (if enabled)"
   include_tasks: ldifs_creation.yml
   loop:
-    - data
+    - groups
   loop_control:
     loop_var: folder
+  when: applications | get_app_conf(application_id, 'provisioning.groups', True)
 
 - name: "Add Objects to all users"
-  include_tasks: 04_user_updates.yml
\ No newline at end of file
+  include_tasks: 04_update.yml
+  when: applications | get_app_conf(application_id, 'provisioning.update', True)
\ No newline at end of file
diff --git a/roles/svc-db-openldap/templates/ldif/data/01_rbac_group.ldif.j2 b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
similarity index 100%
rename from roles/svc-db-openldap/templates/ldif/data/01_rbac_group.ldif.j2
rename to roles/svc-db-openldap/templates/ldif/groups/01_rbac_group.ldif.j2
diff --git a/roles/svc-db-openldap/templates/ldif/data/02_rbac_roles.ldif.j2 b/roles/svc-db-openldap/templates/ldif/groups/02_rbac_roles.ldif.j2
similarity index 100%
rename from roles/svc-db-openldap/templates/ldif/data/02_rbac_roles.ldif.j2
rename to roles/svc-db-openldap/templates/ldif/groups/02_rbac_roles.ldif.j2
diff --git a/roles/svc-db-openldap/templates/ldif/data/README.md b/roles/svc-db-openldap/templates/ldif/groups/README.md
similarity index 100%
rename from roles/svc-db-openldap/templates/ldif/data/README.md
rename to roles/svc-db-openldap/templates/ldif/groups/README.md