computer-playbook/roles/svc-db-openldap/tasks/04_update.yml

- name: Gather all users with their current objectClass list
  community.general.ldap_search:
    server_uri: "{{ openldap_server_uri }}"
    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
    dn:         "{{ ldap.dn.ou.users }}"
    scope:      subordinate
    filter:     "{{ ldap.filters.users.all }}"
    attrs:
      - dn
      - objectClass
      - "{{ ldap.user.attributes.id }}"
  register: ldap_users_with_classes

- name: Add only missing auxiliary classes
  community.general.ldap_attrs:
    server_uri: "{{ openldap_server_uri }}"
    bind_dn:    "{{ ldap.dn.administrator.data }}"
    bind_pw:    "{{ ldap.bind_credential }}"
    dn:         "{{ item.dn }}"
    attributes:
      objectClass: "{{ missing_auxiliary }}"
    state: present
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  loop: "{{ ldap_users_with_classes.results }}"
  loop_control:
    label: "{{ item.dn }}"
  vars:
    missing_auxiliary: >-
      {{ (ldap.user.objects.auxiliary.values() | list) 
         | difference(item.objectClass | default([]))
      }}
  when: missing_auxiliary | length > 0