Refactor user variable name from OPERNLDAP_USERS to OPENLDAP_USERS and add dynamic state handling for objectClass cleanup.

See conversation: https://chatgpt.com/share/692cab28-1ce0-800f-81da-712c8ea08e5c

roles/svc-db-openldap/tasks/03_users.yml

@@ -20,7 +20,7 @@
     state: present            # ↳ creates but never updates
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ OPERNLDAP_USERS | dict2items }}"
+  loop: "{{ OPENLDAP_USERS | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 
@@ -36,10 +36,10 @@
     attributes:
       objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
       mail:        "{{ item.value.email }}"
-    state: exact
+    state: "{{ 'exact' if MODE_CLEANUP else 'present' }}"
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ OPERNLDAP_USERS | dict2items }}"
+  loop: "{{ OPENLDAP_USERS | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 

roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2

@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(OPERNLDAP_USERS, LDAP)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(OPENLDAP_USERS, LDAP)).items() %}
 
 dn: {{ dn }}
 {% for oc in entry.objectClass %}

roles/svc-db-openldap/vars/main.yml

@@ -36,4 +36,4 @@ OPENLDAP_PROVISION_UPDATE:        "{{ applications | get_app_conf(application_id
 OPENLDAP_PROVISION_RESERVED:      "{{ applications | get_app_conf(application_id, 'provision.reserved') }}"
 
 # Users to be processed by LDAP
-OPERNLDAP_USERS:                  "{{ users if OPENLDAP_PROVISION_RESERVED else users | non_reserved_users }}"
+OPENLDAP_USERS:                   "{{ users if OPENLDAP_PROVISION_RESERVED else users | non_reserved_users }}"