- name: Gather all users with their current objectClass list
  community.general.ldap_search:
    server_uri: "{{ ldap_server_uri }}"
    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
    dn:         "{{ ldap.dn.users }}"
    scope:      subordinate
    filter:     "{{ ldap.filters.users.all }}"
    attrs:
      - dn
      - objectClass
      - "{{ ldap.attributes.user_id }}"
  register: ldap_users_with_classes

- name: Add only missing auxiliary classes
  community.general.ldap_attrs:
    server_uri: "{{ ldap_server_uri }}"
    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
    dn:         "{{ item.dn }}"
    attributes:
      objectClass: "{{ missing_auxiliary }}"
    state: present
  loop: "{{ ldap_users_with_classes.results }}"
  loop_control:
    label: "{{ item.dn }}"
  vars:
    missing_auxiliary: >-
      {{ ldap.user_objects.auxiliary 
         | difference(item.objectClass | default([]))
      }}
  when: missing_auxiliary | length > 0