Make the Ansible LDAP plugin able to delete entries and attributes.

Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.

2 files changed, 12 insertions, 4 deletions

diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 0ba4f26..fa212a0 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Load and configure the syncprov overlay
-  openldap: module=syncprov state=present
+  openldap: module=syncprov
             suffix=dc=fripost,dc=org
             target=etc/ldap/syncprov.ldif
             local=file
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 85ad831..e86fa45 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -112,17 +112,25 @@
     - amavis
 
 - name: Load amavis' schema
-  openldap: target=/etc/ldap/schema/amavis.schema state=present
+  openldap: target=/etc/ldap/schema/amavis.schema
             format=slapd.conf name=amavis
   tags:
     - ldap
 
 - name: Load Fripost' schema
-  openldap: target=/etc/ldap/schema/fripost.ldif state=present
+  openldap: target=/etc/ldap/schema/fripost.ldif
   tags:
     - ldap
 
 # We assume a clean (=stock) cn=config
 - name: Configure the LDAP database
   openldap: target=etc/ldap/database.ldif.j2 local=template
-            state=present
+
+# On read-only replicates, you might have to temporarily switch back to
+# read-write, delete the SyncRepl, and delete the DN manually:
+#     sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
+- name: Remove cn=admin,dc=fripost,dc=org
+  openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
+
+- name: Remove the rootDN under the 'config' database
+  openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW