diff --git a/roles/svc-db-openldap/tasks/03_users.yml b/roles/svc-db-openldap/tasks/03_users.yml
index e7204e4b..d506426b 100644
--- a/roles/svc-db-openldap/tasks/03_users.yml
+++ b/roles/svc-db-openldap/tasks/03_users.yml
@@ -20,7 +20,7 @@
     state: present            # ↳ creates but never updates
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ OPERNLDAP_USERS | dict2items }}"
+  loop: "{{ OPENLDAP_USERS | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 
@@ -36,10 +36,10 @@
     attributes:
       objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
       mail:        "{{ item.value.email }}"
-    state: exact
+    state: "{{ 'exact' if MODE_CLEANUP else 'present' }}"
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
   poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
-  loop: "{{ OPERNLDAP_USERS | dict2items }}"
+  loop: "{{ OPENLDAP_USERS | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 
diff --git a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2 b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
index fa1e49e6..b1f93a6d 100644
--- a/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
+++ b/roles/svc-db-openldap/templates/ldif/groups/01_rbac_roles.ldif.j2
@@ -1,4 +1,4 @@
-{% for dn, entry in (applications | build_ldap_role_entries(OPERNLDAP_USERS, LDAP)).items() %}
+{% for dn, entry in (applications | build_ldap_role_entries(OPENLDAP_USERS, LDAP)).items() %}
 
 dn: {{ dn }}
 {% for oc in entry.objectClass %}
diff --git a/roles/svc-db-openldap/vars/main.yml b/roles/svc-db-openldap/vars/main.yml
index 50237d84..07fc59fc 100644
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -36,4 +36,4 @@ OPENLDAP_PROVISION_UPDATE:        "{{ applications | get_app_conf(application_id
 OPENLDAP_PROVISION_RESERVED:      "{{ applications | get_app_conf(application_id, 'provision.reserved') }}"
 
 # Users to be processed by LDAP
-OPERNLDAP_USERS:                  "{{ users if OPENLDAP_PROVISION_RESERVED else users | non_reserved_users }}"
\ No newline at end of file
+OPENLDAP_USERS:                   "{{ users if OPENLDAP_PROVISION_RESERVED else users | non_reserved_users }}"
\ No newline at end of file