Refactor LDAP variable schema to use top-level constant LDAP and nested ALL-CAPS keys.

- Converted group_vars/all/13_ldap.yml from lower-case to ALL-CAPS nested keys.
- Updated all roles, tasks, templates, and filter_plugins to reference LDAP.* instead of ldap.*.
- Fixed Keycloak JSON templates to properly quote Jinja variables.
- Adjusted svc-db-openldap filter plugins and unit tests to handle new LDAP structure.
- Updated integration test to only check uniqueness of TOP-LEVEL ALL-CAPS constants, ignoring nested keys.

See: https://chatgpt.com/share/68b01017-efe0-800f-a508-7d7e2f1c8c8d

roles/svc-db-openldap/filter_plugins/build_ldap_nested_group_entries.py

@@ -8,12 +8,12 @@ def build_ldap_nested_group_entries(applications, users, ldap):
     result = {}
 
     # Base DN components
-    role_dn_base = ldap["dn"]["ou"]["roles"]
-    user_dn_base = ldap["dn"]["ou"]["users"]
-    ldap_user_attr = ldap["user"]["attributes"]["id"]
+    role_dn_base = ldap["DN"]["OU"]["ROLES"]
+    user_dn_base = ldap["DN"]["OU"]["USERS"]
+    ldap_user_attr = ldap["USER"]["ATTRIBUTES"]["ID"]
 
     # Supported objectClass flavors
-    flavors = ldap.get("rbac", {}).get("flavors", [])
+    flavors = ldap.get("RBAC").get("FLAVORS")
 
     for application_id, app_config in applications.items():
         # Compute the DN for the application-level OU

roles/svc-db-openldap/filter_plugins/build_ldap_role_entries.py

@@ -16,10 +16,10 @@ def build_ldap_role_entries(applications, users, ldap):
         }
 
         group_id = application_config.get("group_id")
-        user_dn_base = ldap["dn"]["ou"]["users"]
-        ldap_user_attr = ldap["user"]["attributes"]["id"]
-        role_dn_base = ldap["dn"]["ou"]["roles"]
-        flavors = ldap.get("rbac", {}).get("flavors", [])
+        user_dn_base = ldap["DN"]["OU"]["USERS"]
+        ldap_user_attr = ldap["USER"]["ATTRIBUTES"]["ID"]
+        role_dn_base = ldap["DN"]["OU"]["ROLES"]
+        flavors = ldap.get("RBAC").get("FLAVORS")
 
         for role_name, role_conf in roles.items():
             group_cn = f"{application_id}-{role_name}"

roles/svc-db-openldap/handlers/main.yml

@@ -1,6 +1,6 @@
 - name: Load memberof module from file in OpenLDAP container
   shell: >
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{openldap_ldif_docker_path}}configuration/01_member_of_configuration.ldif
+    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/01_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -10,7 +10,7 @@
 
 - name: Refint Module Activation for OpenLDAP
   shell: >
-    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{openldap_ldif_docker_path}}configuration/02_member_of_configuration.ldif
+    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/02_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -22,7 +22,7 @@
 
 - name: "Import schemas"
   shell: >
-    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{openldap_ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ openldap_name }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ openldap_ldif_docker_path }}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 80]
@@ -33,7 +33,7 @@
 
 - name: Refint Overlay Configuration for OpenLDAP
   shell: >
-    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{openldap_ldif_docker_path}}configuration/03_member_of_configuration.ldif
+    docker exec -i {{ openldap_name }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ openldap_ldif_docker_path }}configuration/03_member_of_configuration.ldif
   listen:
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -45,7 +45,7 @@
 
 - name: "Import users, groups, etc. to LDAP"
   shell: >
-    docker exec -i {{ openldap_name }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{openldap_ldif_docker_path}}groups/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ openldap_name }} ldapadd -x -D "{{LDAP.DN.ADMINISTRATOR.DATA}}" -w "{{ LDAP.BIND_CREDENTIAL }}" -c -f "{{ openldap_ldif_docker_path }}groups/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 20, 68, 65]

roles/svc-db-openldap/tasks/01_credentials.yml

@@ -28,7 +28,7 @@
 - name: "Generate hash for Database Admin password"
   shell: |
     docker exec {{ openldap_name }} \
-      slappasswd -s "{{ ldap.bind_credential }}"
+      slappasswd -s "{{ LDAP.BIND_CREDENTIAL }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"

roles/svc-db-openldap/tasks/03_users.yml

@@ -3,11 +3,11 @@
 ###############################################################################
 - name: Ensure LDAP users exist
   community.general.ldap_entry:
-    dn:           "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    dn:           "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
     server_uri:   "{{ openldap_server_uri }}"
-    bind_dn:      "{{ ldap.dn.administrator.data }}"
-    bind_pw:      "{{ ldap.bind_credential }}"
-    objectClass:  "{{ ldap.user.objects.structural }}"
+    bind_dn:      "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:      "{{ LDAP.BIND_CREDENTIAL }}"
+    objectClass:  "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
     attributes:
       uid:           "{{ item.value.username }}"
       sn:            "{{ item.value.sn  | default(item.key) }}"
@@ -29,12 +29,12 @@
 ###############################################################################
 - name: Ensure required objectClass values and mail address are present
   community.general.ldap_attrs:
-    dn: "{{ ldap.user.attributes.id }}={{ item.key }},{{ ldap.dn.ou.users }}"
+    dn: "{{ LDAP.USER.ATTRIBUTES.ID }}={{ item.key }},{{ LDAP.DN.OU.USERS }}"
     server_uri: "{{ openldap_server_uri }}"
-    bind_dn: "{{ ldap.dn.administrator.data }}"
-    bind_pw: "{{ ldap.bind_credential }}"
+    bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw: "{{ LDAP.BIND_CREDENTIAL }}"
     attributes:
-      objectClass: "{{ ldap.user.objects.structural }}"
+      objectClass: "{{ LDAP.USER.OBJECTS.STRUCTURAL }}"
       mail:        "{{ item.value.email }}"
     state: exact
   async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
@@ -45,10 +45,10 @@
 
 - name: "Ensure container for application roles exists"
   community.general.ldap_entry:
-    dn: "{{ ldap.dn.ou.roles }}"
+    dn: "{{ LDAP.DN.OU.ROLES }}"
     server_uri: "{{ openldap_server_uri }}"
-    bind_dn:  "{{ ldap.dn.administrator.data }}"
-    bind_pw:  "{{ ldap.bind_credential }}"
+    bind_dn:  "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:  "{{ LDAP.BIND_CREDENTIAL }}"
     objectClass: organizationalUnit
     attributes:
       ou: roles

roles/svc-db-openldap/tasks/04_update.yml

@@ -1,22 +1,22 @@
 - name: Gather all users with their current objectClass list
   community.general.ldap_search:
     server_uri: "{{ openldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator.data }}"
-    bind_pw:    "{{ ldap.bind_credential }}"
-    dn:         "{{ ldap.dn.ou.users }}"
+    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
+    dn:         "{{ LDAP.DN.OU.USERS }}"
     scope:      subordinate
-    filter:     "{{ ldap.filters.users.all }}"
+    filter:     "{{ LDAP.FILTERS.USERS.ALL }}"
     attrs:
       - dn
       - objectClass
-      - "{{ ldap.user.attributes.id }}"
+      - "{{ LDAP.USER.ATTRIBUTES.ID }}"
   register: ldap_users_with_classes
 
 - name: Add only missing auxiliary classes
   community.general.ldap_attrs:
     server_uri: "{{ openldap_server_uri }}"
-    bind_dn:    "{{ ldap.dn.administrator.data }}"
-    bind_pw:    "{{ ldap.bind_credential }}"
+    bind_dn:    "{{ LDAP.DN.ADMINISTRATOR.DATA }}"
+    bind_pw:    "{{ LDAP.BIND_CREDENTIAL }}"
     dn:         "{{ item.dn }}"
     attributes:
       objectClass: "{{ missing_auxiliary }}"
@@ -28,7 +28,7 @@
     label: "{{ item.dn }}"
   vars:
     missing_auxiliary: >-
-      {{ (ldap.user.objects.auxiliary.values() | list) 
+      {{ (LDAP.USER.OBJECTS.AUXILIARY.values() | list) 
          | difference(item.objectClass | default([]))
       }}
   when: missing_auxiliary | length > 0

roles/svc-db-openldap/tasks/schemas/nextcloud.yml

@@ -8,9 +8,9 @@
   vars:
     schema_name: "nextcloud"
     attribute_defs:
-      - "( 1.3.6.1.4.1.99999.1 NAME '{{ ldap.user.attributes.nextcloud_quota }}' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )"
+      - "( 1.3.6.1.4.1.99999.1 NAME '{{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }}' DESC 'Quota for Nextcloud' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )"
     objectclass_defs:
-      - "( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ ldap.user.attributes.nextcloud_quota }} ) )"
+      - "( 1.3.6.1.4.1.99999.2 NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.NEXTCLOUD_USER }}' DESC 'Auxiliary class for Nextcloud attributes' AUXILIARY MAY ( {{ LDAP.USER.ATTRIBUTES.NEXTCLOUD_QUOTA }} ) )"
   command: >
     ldapsm
       -s {{ openldap_server_uri }}

roles/svc-db-openldap/tasks/schemas/openssh_lpk.yml

@@ -8,16 +8,16 @@
   vars:
     schema_name: "openssh-lpk"
     attribute_defs:
-      - "( 1.3.6.1.4.1.24552.1.1 NAME '{{ ldap.user.attributes.ssh_public_key }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
+      - "( 1.3.6.1.4.1.24552.1.1 NAME '{{ LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY }}' DESC 'OpenSSH Public Key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
       - "( 1.3.6.1.4.1.24552.1.2 NAME 'sshFingerprint' DESC 'OpenSSH Public Key Fingerprint' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
     objectclass_defs:
       - >-
         ( 1.3.6.1.4.1.24552.2.1
-          NAME '{{ ldap.user.objects.auxiliary.ssh_public_key }}'
+          NAME '{{ LDAP.USER.OBJECTS.AUXILIARY.SSH_PUBLIC_KEY }}'
           DESC 'Auxiliary class for OpenSSH public keys'
           SUP top
           AUXILIARY
-          MAY ( {{ ldap.user.attributes.ssh_public_key }} $ sshFingerprint ) )
+          MAY ( {{ LDAP.USER.ATTRIBUTES.SSH_PUBLIC_KEY }} $ sshFingerprint ) )
 
   command: >
     ldapsm

roles/svc-db-openldap/templates/docker-compose.yml.j2

@@ -10,12 +10,12 @@
 {% endif %}
     volumes:
       - 'data:/bitnami/openldap'
-      - '{{openldap_ldif_host_path}}:{{openldap_ldif_docker_path}}:ro'
+      - '{{openldap_ldif_host_path}}:{{ openldap_ldif_docker_path }}:ro'
     healthcheck:
       test: >
         bash -c '
         ldapsearch -x -H ldap://localhost:{{ openldap_docker_port_open }} \
-          -D "{{ ldap.dn.administrator.data }}" -w "{{ ldap.bind_credential }}" -b "{{ ldap.dn.root }}" > /dev/null \
+          -D "{{ LDAP.DN.ADMINISTRATOR.DATA }}" -w "{{ LDAP.BIND_CREDENTIAL }}" -b "{{ LDAP.DN.ROOT }}" > /dev/null \
         && ldapsearch -Y EXTERNAL -H ldapi:/// \
           -b cn=config "(&(objectClass=olcOverlayConfig)(olcOverlay=memberof))" \
         | grep "olcOverlay:" | grep -q "memberof"

roles/svc-db-openldap/templates/env.j2

@@ -4,15 +4,15 @@
 # GENERAL
 ## Admin (Data)
 LDAP_ADMIN_USERNAME=        {{ applications | get_app_conf(application_id, 'users.administrator.username') }} # LDAP database admin user.
-LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                                      # LDAP database admin password.
+LDAP_ADMIN_PASSWORD=        {{ LDAP.BIND_CREDENTIAL }}                                      # LDAP database admin password.
 
 ## Users
 LDAP_USERS=                 ' '                             # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
 LDAP_PASSWORDS=             ' '                             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami2
-LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+LDAP_ROOT=                  {{ LDAP.DN.ROOT }}                # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
 
 ## Admin (Config)
-LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
+LDAP_ADMIN_DN=              {{LDAP.DN.ADMINISTRATOR.DATA}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
 LDAP_CONFIG_ADMIN_USERNAME= {{ applications | get_app_conf(application_id, 'users.administrator.username') }}
 LDAP_CONFIG_ADMIN_PASSWORD= {{ applications | get_app_conf(application_id, 'credentials.administrator_password') }}

roles/svc-db-openldap/vars/main.yml

@@ -4,7 +4,7 @@ application_id:                 "svc-db-openldap"
 openldap_docker_port_secure:    636
 openldap_docker_port_open:      389
 openldap_server_uri:            "ldap://127.0.0.1:{{ ports.localhost.ldap[application_id] }}"
-openldap_bind_dn:               "{{ ldap.dn.administrator.configuration }}"
+openldap_bind_dn:               "{{ LDAP.DN.ADMINISTRATOR.CONFIGURATION }}"
 openldap_bind_pw:               "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
 
 # LDIF Variables