- name: system | ldap auth
  block:
    - name: Load OS specific variables.
      tags: ldap
      ansible.builtin.include_vars:
        file: "os_{{ ansible_facts['lsb']['id'] }}.yml"

    - name: Install packages.
      tags: ldap,packages,ldap-auth
      ansible.builtin.package:
        state: present
        name:
          - "{{ package_libnss_ldapd }}"
          - libsss-sudo
          - sssd

    - name: Create config directories.
      tags: ldap,ldap-auth
      ansible.builtin.file:
        state: directory
        owner: root
        group: root
        mode: 0755
        path: "{{ item }}"
      with_items:
        - /etc/sssd
        - /etc/ldap

    - name: Copy config files.
      tags: ldap,ldap-auth
      ansible.builtin.copy:
        owner: root
        group: root
        mode: 0644
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
      with_items:
        - src: nscd.conf
          dest: /etc/nscd.conf
        - src: nsswitch.conf
          dest: /etc/nsswitch.conf
        - src: "{{ ldap_cert }}"
          dest: "/etc/ldap/{{ ldap_cert }}"
      notify:
        - restart_nscd

    - name: Create config files from templates.
      tags: ldap
      template:
        owner: root
        group: root
        mode: 0600
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
      with_items:
        - src: sssd.conf
          dest: /etc/sssd/sssd.conf
        - src: nslcd.conf
          dest: /etc/nslcd.conf
        - src: ldap.conf
          dest: /etc/ldap/ldap.conf
      notify:
        - restart_nslcd
        - restart_nscd
        - restart_sssd

    - name: Enable services.
      ansible.builtin.service:
        name: "{{ item }}"
        enabled: yes
      with_items:
        - nslcd
        - nscd
        - sssd

    - name: Enable pam_mkhomedirs
      ansible.builtin.lineinfile:
        regexp: ^session required pam_mkhomedir.so
        line: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
        insertbefore: BOF

  when:
    - ldap_uris | length > 0