- name: Gather all users with their current objectClass list community.general.ldap_search: server_uri: "{{ openldap_server_uri }}" bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" bind_pw: "{{ LDAP.BIND_CREDENTIAL }}" dn: "{{ LDAP.DN.OU.USERS }}" scope: subordinate filter: "{{ LDAP.FILTERS.USERS.ALL }}" attrs: - dn - objectClass - "{{ LDAP.USER.ATTRIBUTES.ID }}" register: ldap_users_with_classes - name: Add only missing auxiliary classes community.general.ldap_attrs: server_uri: "{{ openldap_server_uri }}" bind_dn: "{{ LDAP.DN.ADMINISTRATOR.DATA }}" bind_pw: "{{ LDAP.BIND_CREDENTIAL }}" dn: "{{ item.dn }}" attributes: objectClass: "{{ missing_auxiliary }}" state: present async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}" poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}" loop: "{{ ldap_users_with_classes.results }}" loop_control: label: "{{ item.dn }}" vars: missing_auxiliary: >- {{ (LDAP.USER.OBJECTS.AUXILIARY.values() | list) | difference(item.objectClass | default([])) }} when: missing_auxiliary | length > 0