From 97e2d440b20df32cdc3a17ccbb6ccff2729cfa28 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Mon, 22 Sep 2025 19:08:11 +0200
Subject: [PATCH] Normalized OpenLDAP constants

---
 .../svc-db-openldap/tasks/01_credentials.yml  | 10 +++----
 roles/svc-db-openldap/tasks/03_users.yml      |  6 ++--
 roles/svc-db-openldap/tasks/04_update.yml     |  4 +--
 .../svc-db-openldap/tasks/ldifs_creation.yml  |  4 +--
 roles/svc-db-openldap/tasks/main.yml          |  8 ++---
 .../tasks/schemas/nextcloud.yml               |  6 ++--
 .../tasks/schemas/openssh_lpk.yml             |  6 ++--
 .../templates/docker-compose.yml.j2           | 14 ++++-----
 roles/svc-db-openldap/templates/env.j2        |  4 +--
 roles/svc-db-openldap/vars/main.yml           | 30 ++++++++++---------
 10 files changed, 47 insertions(+), 45 deletions(-)

diff --git a/roles/svc-db-openldap/tasks/01_credentials.yml b/roles/svc-db-openldap/tasks/01_credentials.yml
index 7bb36463..65f3346b 100644
--- a/roles/svc-db-openldap/tasks/01_credentials.yml
+++ b/roles/svc-db-openldap/tasks/01_credentials.yml
@@ -3,7 +3,7 @@
 
 - name: "Query available LDAP databases"
   shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_NAME }} \
       ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
   register: ldap_databases
 
@@ -27,13 +27,13 @@
 
 - name: "Generate hash for Database Admin password"
   shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_NAME }} \
       slappasswd -s "{{ LDAP.BIND_CREDENTIAL }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_NAME }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ data_backend_dn }}
     changetype: modify
     replace: olcRootPW
@@ -42,13 +42,13 @@
 
 - name: "Generate hash for Configuration Admin password"
   shell: |
-    docker exec {{ openldap_name }} \
+    docker exec {{ OPENLDAP_NAME }} \
       slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
   register: config_admin_pw_hash
 
 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ OPENLDAP_NAME }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ config_backend_dn }}
     changetype: modify
     replace: olcRootPW
diff --git a/roles/svc-db-openldap/tasks/03_users.yml b/roles/svc-db-openldap/tasks/03_users.yml
index 23d824f9..a3ed5c9b 100644
--- a/roles/svc-db-openldap/tasks/03_users.yml
+++ b/roles/svc-db-openldap/tasks/03_users.yml
@@ -4,7 +4,7 @@
 - name: Ensure LDAP users exist
   community.general.ldap_entry:
     dn:           "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
-    server_uri:   "{{ openldap_server_uri }}"
+    server_uri:   "{{ OPENLDAP_SERVER_URI }}"
     bind_dn:      "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
     bind_pw:      "{{ LDAP.BIND_CREDENTIAL }}"
     objectClass:  "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
@@ -30,7 +30,7 @@
 - name: Ensure required objectClass values and mail address are present
   community.general.ldap_attrs:
     dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
     bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
     bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
     attributes:
@@ -46,7 +46,7 @@
 - name: "Ensure container for application roles exists"
   community.general.ldap_entry:
     dn: "{{ LDAP.DN.OU.ROLES }}"
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
     bind_dn:  "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
     bind_pw:  "{{ LDAP.BIND_CREDENTIAL }}"
     objectClass: organizationalUnit
diff --git a/roles/svc-db-openldap/tasks/04_update.yml b/roles/svc-db-openldap/tasks/04_update.yml
index 47b1f847..c739ccf4 100644
--- a/roles/svc-db-openldap/tasks/04_update.yml
+++ b/roles/svc-db-openldap/tasks/04_update.yml
@@ -1,6 +1,6 @@
 - name: Gather all users with their current objectClass list
   community.general.ldap_search:
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
     bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
     bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
     dn:         "{{ LDAP.DN.OU.USERS }}"
@@ -14,7 +14,7 @@
 
 - name: Add only missing auxiliary classes
   community.general.ldap_attrs:
-    server_uri: "{{ openldap_server_uri }}"
+    server_uri: "{{ OPENLDAP_SERVER_URI }}"
     bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
     bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
     dn:         "{{ item.dn }}"
diff --git a/roles/svc-db-openldap/tasks/ldifs_creation.yml b/roles/svc-db-openldap/tasks/ldifs_creation.yml
index 9373d765..51d44086 100644
--- a/roles/svc-db-openldap/tasks/ldifs_creation.yml
+++ b/roles/svc-db-openldap/tasks/ldifs_creation.yml
@@ -1,7 +1,7 @@
-- name: "Create LDIF files at {{ openldap_ldif_host_path }}{{ folder }}"
+- name: "Create LDIF files at {{ OPENLDAP_LDIF_PATH_HOST }}{{ folder }}"
   template:
     src: "{{ item }}"
-    dest: "{{ openldap_ldif_host_path }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
+    dest: "{{ OPENLDAP_LDIF_PATH_HOST }}{{ folder }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
     mode: "0770"
   loop: >-
     {{
diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml
index 0ecfa7d1..e93000d7 100644
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -19,7 +19,7 @@
 
 - name: create docker network for LDAP, so that other applications can access it
   community.docker.docker_network:
-    name: "{{ openldap_network }}"
+    name: "{{ OPENLDAP_NETWORK }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local[application_id].subnet }}"
@@ -40,12 +40,12 @@
     - applications | get_app_conf(application_id, 'network.local')
     - applications | get_app_conf(application_id, 'provisioning.credentials', True)
 
-- name: "create directory {{openldap_ldif_host_path}}{{item}}"
+- name: "create directory {{OPENLDAP_LDIF_PATH_HOST}}{{item}}"
   file:
-    path: "{{openldap_ldif_host_path}}{{item}}"
+    path: "{{OPENLDAP_LDIF_PATH_HOST}}{{item}}"
     state: directory
     mode: "0755"
-  loop: "{{openldap_ldif_types}}"
+  loop: "{{OPENLDAP_LDIF_TYPES}}"
 
 - name: "Import LDIF Configuration"
   include_tasks: ldifs_creation.yml
diff --git a/roles/svc-db-openldap/tasks/schemas/nextcloud.yml b/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
index 2abcc90c..2feb83c7 100644
--- a/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
+++ b/roles/svc-db-openldap/tasks/schemas/nextcloud.yml
@@ -13,9 +13,9 @@
       - "( 1.3.6.1.4.1.99999.2 NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.NEXTCLOUD_USER }}' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }} ) )"
   command: >
     ldapsm
-      -s {{ openldap_server_uri }}
-      -D '{{ openldap_bind_dn }}'
-      -W '{{ openldap_bind_pw }}'
+      -s {{ OPENLDAP_SERVER_URI }}
+      -D '{{ OPENLDAP_BIND_DN }}'
+      -W '{{ OPENLDAP_BIND_PW }}'
       -n {{ schema_name }}
       {% for at in attribute_defs %}
       -a "{{ at }}"
diff --git a/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml b/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
index a9ed9b14..8982a609 100644
--- a/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
+++ b/roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml
@@ -21,9 +21,9 @@
 
   command: >
     ldapsm
-      -s {{ openldap_server_uri }}
-      -D '{{ openldap_bind_dn }}'
-      -W '{{ openldap_bind_pw }}'
+      -s {{ OPENLDAP_SERVER_URI }}
+      -D '{{ OPENLDAP_BIND_DN }}'
+      -W '{{ OPENLDAP_BIND_PW }}'
       -n {{ schema_name }}
       {% for at in attribute_defs %}
       -a "{{ at }}"
diff --git a/roles/svc-db-openldap/templates/docker-compose.yml.j2 b/roles/svc-db-openldap/templates/docker-compose.yml.j2
index 0781c087..62e56fcc 100644
--- a/roles/svc-db-openldap/templates/docker-compose.yml.j2
+++ b/roles/svc-db-openldap/templates/docker-compose.yml.j2
@@ -1,20 +1,20 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ openldap_image }}:{{ openldap_version }}"
-    container_name: "{{ openldap_name }}"
+    image: "{{ OPENLDAP_IMAGE }}:{{ OPENLDAP_VERSION }}"
+    container_name: "{{ OPENLDAP_NAME }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if openldap_network_expose_local %}
+{% if OPENLDAP_NETWORK_EXPOSE_LOCAL %}
     ports:
-      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{openldap_docker_port_open}}
+      - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{OPENLDAP_DOCKER_PORT_OPEN}}
 {% endif %}
     volumes:
       - 'data:/bitnami/openldap'
-      - '{{openldap_ldif_host_path}}:{{ openldap_ldif_docker_path }}:ro'
+      - '{{OPENLDAP_LDIF_PATH_HOST}}:{{ OPENLDAP_LDIF_PATH_DOCKER }}:ro'
     healthcheck:
       test: >
         bash -c '
-        ldapsearch -x -H ldap://localhost:{{ openldap_docker_port_open }} \
+        ldapsearch -x -H ldap://localhost:{{ OPENLDAP_DOCKER_PORT_OPEN }} \
           -D "{{ LDAP.DN.ADMINISTRATOR.DATA }}" -w "{{ LDAP.BIND_CREDENTIAL }}" -b "{{ LDAP.DN.ROOT }}" > /dev/null \
         && ldapsearch -Y EXTERNAL -H ldapi:/// \
           -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
@@ -24,6 +24,6 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   data:
-    name: "{{ openldap_volume }}"
+    name: "{{ OPENLDAP_VOLUME }}"
 
 {% include 'roles/docker-compose/templates/networks.yml.j2' %}
\ No newline at end of file
diff --git a/roles/svc-db-openldap/templates/env.j2 b/roles/svc-db-openldap/templates/env.j2
index 56f2b9e4..b0967577 100644
--- a/roles/svc-db-openldap/templates/env.j2
+++ b/roles/svc-db-openldap/templates/env.j2
@@ -18,9 +18,9 @@ LDAP_CONFIG_ADMIN_USERNAME= {{ applications | get_app_conf(application_id, 'user
 LDAP_CONFIG_ADMIN_PASSWORD= {{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}
   
 # Network
-LDAP_PORT_NUMBER=           {{openldap_docker_port_open}}            # Route to default port
+LDAP_PORT_NUMBER=           {{OPENLDAP_DOCKER_PORT_OPEN}}            # Route to default port
 LDAP_ENABLE_TLS=            no                              # Using nginx proxy for tls
-LDAP_LDAPS_PORT_NUMBER=     {{openldap_docker_port_secure}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
+LDAP_LDAPS_PORT_NUMBER=     {{OPENLDAP_DOCKER_PORT_SECURE}}           # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
 
 # Security
 LDAP_ALLOW_ANON_BINDING=    no                              # Allow anonymous bindings to the LDAP server. Default: yes.
\ No newline at end of file
diff --git a/roles/svc-db-openldap/vars/main.yml b/roles/svc-db-openldap/vars/main.yml
index 996f6d33..4e073304 100644
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -1,24 +1,26 @@
 application_id:                 "svc-db-openldap"
 
 # LDAP Variables
-openldap_docker_port_secure:    636
-openldap_docker_port_open:      389
-openldap_server_uri:            "ldap://127.0.0.1:{{ ports.localhost.ldap[application_id] }}"
-openldap_bind_dn:               "{{ LDAP.DN.ADMINISTRATOR.CONFIGURATION }}"
-openldap_bind_pw:               "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
+OPENLDAP_DOCKER_PORT_SECURE:    636
+OPENLDAP_DOCKER_PORT_OPEN:      389
+OPENLDAP_SERVER_URI:            "ldap://127.0.0.1:{{ ports.localhost.ldap[application_id] }}"
+OPENLDAP_BIND_DN:               "{{ LDAP.DN.ADMINISTRATOR.CONFIGURATION }}"
+OPENLDAP_BIND_PW:               "{{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}"
 
 # LDIF Variables
-openldap_ldif_host_path:        "{{ docker_compose.directories.volumes }}ldif/"
-openldap_ldif_docker_path:      "/tmp/ldif/"
-openldap_ldif_types:
+OPENLDAP_LDIF_PATH_HOST:        "{{ docker_compose.directories.volumes }}ldif/"
+OPENLDAP_LDIF_PATH_DOCKER:      "/tmp/ldif/"
+OPENLDAP_LDIF_TYPES:
   - configuration
   - groups
   - schema                      # Don't know if this is still needed, it's now setup via tasks
 
-openldap_name:                  "{{ applications | get_app_conf(application_id, 'docker.services.openldap.name', True) }}"
-openldap_image:                 "{{ applications | get_app_conf(application_id, 'docker.services.openldap.image', True) }}"
-openldap_version:               "{{ applications | get_app_conf(application_id, 'docker.services.openldap.version', True) }}"
-openldap_volume:                "{{ applications | get_app_conf(application_id, 'docker.volumes.data', True) }}"
-openldap_network:               "{{ applications | get_app_conf(application_id, 'docker.network', True) }}"
+# Container
+OPENLDAP_NAME:                  "{{ applications | get_app_conf(application_id, 'docker.services.openldap.name') }}"
+OPENLDAP_IMAGE:                 "{{ applications | get_app_conf(application_id, 'docker.services.openldap.image') }}"
+OPENLDAP_VERSION:               "{{ applications | get_app_conf(application_id, 'docker.services.openldap.version') }}"
+OPENLDAP_VOLUME:                "{{ applications | get_app_conf(application_id, 'docker.volumes.data') }}"
+OPENLDAP_NETWORK:               "{{ applications | get_app_conf(application_id, 'docker.network') }}"
 
-openldap_network_expose_local:  "{{ applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local') | bool }}"
\ No newline at end of file
+# Network
+OPENLDAP_NETWORK_EXPOSE_LOCAL:  "{{ applications | get_app_conf(application_id, 'network.public') | bool or applications | get_app_conf(application_id, 'network.local') | bool }}"
\ No newline at end of file