LDAP: Load dynlist overlay.

Looks like nextcloud 26-29 broke something in the handling of dynamic
groups via memberURL attribute (and keeps repopulating the group —
possibly due to paging — thereby spamming members with “An administrator
removed you from group medlemmar” mails), so we expand on the slapd via
slapo-dynlist(5) instead.

This commit also fixes an issue with the openldap module where the index
of the leftmost attribute of the DN is not necessary {0}.

1 files changed, 9 insertions, 3 deletions

diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 9bc227e..8d4e327 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -4,6 +4,15 @@
             target=etc/ldap/syncprov.ldif
             local=file
 
+#- name: Load dyngroup schema
+#  openldap: target=/etc/ldap/schema/dyngroup.ldif
+
+- name: Load and configure the dynlist overlay
+  openldap: module=dynlist
+            suffix=dc=fripost,dc=org
+            target=etc/ldap/dynlist.ldif
+            local=file
+
 ## XXX should be /etc/sasl2/slapd.conf ideally, but it doesn't work with
 ## Stretch, cf #211156 and #798462:
 ##   ldapsearch -LLLx -H ldapi:// -b "" -s base supportedSASLMechanisms
@@ -15,7 +24,4 @@
               owner=root group=root
               mode=0644
 
-#- name: Load dyngroup schema
-#  openldap: target=/etc/ldap/schema/dyngroup.ldif
-
 # TODO: authz constraint