{% for app, config in applications.items() %}
dn: cn={{ app }}-administrator,{{ldap.dn.application_roles}}
objectClass: top
objectClass: organizationalRole
cn: {{ app }}-administrator
description: Administrator role for {{ app }} (automatically generated)

dn: cn={{ app }}-user,{{ldap.dn.application_roles}}
objectClass: top
objectClass: organizationalRole
cn: {{ app }}-user
description: Standard user role for {{ app }} (automatically generated)

{% endfor %}

{% for username, user in users.items() %}

#######################################################################
# Assign {{ username }} to application user roles
#######################################################################
{% for app, config in applications.items() %}

# Assign {{ username }} to {{ app }}-users

dn: cn={{ app }}-user,{{ ldap.dn.application_roles }}
changetype: modify
add: roleOccupant
roleOccupant: {{ ldap.attributes.user_id }}={{ username }},{{ ldap.dn.users }}

{% if users.is_admin | default(false) | bool %}

# Assign {{ username }} to {{ app }}-administrator
dn: cn={{ app }}-administrator,{{ ldap.dn.application_roles }}
changetype: modify
add: roleOccupant
roleOccupant: {{ ldap.attributes.user_id }}={{ users.administrator.username }},{{ ldap.dn.users }}

{% endif %}

{% endfor %}

{% endfor %}