From 9198e7f8096e9f1b0d5f474cf2345913a357f864 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 7 Jul 2014 23:02:45 +0200
Subject: Make the Ansible LDAP plugin able to delete entries and attributes.

Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.
---
 lib/action_plugins/openldap.py     |  3 +++
 lib/modules/openldap               | 37 ++++++++++++++++++++++++++++++++-----
 roles/LDAP-provider/tasks/main.yml |  2 +-
 roles/common-LDAP/tasks/main.yml   | 14 +++++++++++---
 4 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/lib/action_plugins/openldap.py b/lib/action_plugins/openldap.py
index ee8a991..5dbf59f 100644
--- a/lib/action_plugins/openldap.py
+++ b/lib/action_plugins/openldap.py
@@ -31,6 +31,9 @@ class ActionModule(object):
     def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs):
         ''' handler for file transfer operations '''
 
+        if self.runner.noop_on_check(inject):
+            return ReturnData(conn=conn, comm_ok=True, result=dict(skipped=True))
+
         # load up options
         options  = {}
         if complex_args:
diff --git a/lib/modules/openldap b/lib/modules/openldap
index 1e84c32..69ee4df 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -265,31 +265,58 @@ def slapd_to_ldif(src, name):
 def main():
     module = AnsibleModule(
         argument_spec   = dict(
-            state       = dict( default="present", choices=["absent","present"]),
             target      = dict( default=None ),
             module      = dict( default=None ),
             suffix      = dict( default=None ),
             format      = dict( default="ldif", choices=["ldif","slapd.conf"] ),
             name        = dict( default=None ),
             local       = dict( default="no", choices=["no","file","template"] ),
+            delete      = dict( default=None ),
         ),
         supports_check_mode=True
     )
 
     params      = module.params
-    state       = params['state']
     target      = params['target']
     mod         = params['module']
     suffix      = params['suffix']
     form        = params['format']
     name        = params['name']
+    delete      = params['delete']
 
     changed = False
     try:
-        if state == "absent":
-            module.fail_json(msg="OpenLDAP's ansible: unsupported feature")
+        if delete is not None:
+            if name is None:
+                module.fail_json(msg="missing name")
+            l = ldap.initialize( 'ldapi://' )
+            l.sasl_interactive_bind_s('', ldap.sasl.external())
+            if delete == 'entry':
+                filterStr = '(objectClass=*)'
+            else:
+                filterStr = [ '(%s=*)' % x for x in delete.split(',') ]
+                if len(filterStr) > 1:
+                    filterStr = '(|' + ''.join(filterStr) + ')'
+                else:
+                    filterStr = filterStr[0]
+
+            try:
+                r = l.search_s( name, ldap.SCOPE_BASE, filterStr, attrsonly=1 )
+            except ldap.LDAPError, ldap.NO_SUCH_OBJECT:
+                r = None
 
-        elif state == "present":
+            if r:
+                changed = True
+                if module.check_mode:
+                    module.exit_json(changed=changed)
+                if delete == 'entry':
+                    l.delete_s(r[0][0])
+                else:
+                    attrlist = list(set(r[0][1].keys()) & set(delete.split(',')))
+                    l.modify_s(r[0][0], [ (ldap.MOD_DELETE, x, None) for x in attrlist ])
+            l.unbind_s()
+
+        else:
             if form == 'slapd.conf':
                 if name is None:
                     module.fail_json(msg="missing name")
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 0ba4f26..fa212a0 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Load and configure the syncprov overlay
-  openldap: module=syncprov state=present
+  openldap: module=syncprov
             suffix=dc=fripost,dc=org
             target=etc/ldap/syncprov.ldif
             local=file
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 85ad831..e86fa45 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -112,17 +112,25 @@
     - amavis
 
 - name: Load amavis' schema
-  openldap: target=/etc/ldap/schema/amavis.schema state=present
+  openldap: target=/etc/ldap/schema/amavis.schema
             format=slapd.conf name=amavis
   tags:
     - ldap
 
 - name: Load Fripost' schema
-  openldap: target=/etc/ldap/schema/fripost.ldif state=present
+  openldap: target=/etc/ldap/schema/fripost.ldif
   tags:
     - ldap
 
 # We assume a clean (=stock) cn=config
 - name: Configure the LDAP database
   openldap: target=etc/ldap/database.ldif.j2 local=template
-            state=present
+
+# On read-only replicates, you might have to temporarily switch back to
+# read-write, delete the SyncRepl, and delete the DN manually:
+#     sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
+- name: Remove cn=admin,dc=fripost,dc=org
+  openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
+
+- name: Remove the rootDN under the 'config' database
+  openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW
-- 
cgit v1.2.3