Update to 2022-03-17 19:00

roles/ldap2pg/defaults/main.yml

@@ -1,13 +1,15 @@
 ---
 
 # How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
-# A value of never will disable automatic sync (you can still fire the ldap2pg service manually)
+ldap2pg_sync_freq: hourly
-ldap2pg_sync_freq: never
 
 # Under which account will ldap2pg run
 # Default is under the local postgres account which is fine for managing a local postgres instance
 ldap2pg_user: postgres
 
+# Set dry mode to False to actually do the sync
+ldap2pg_dry_mode: True
+
 ldap2pg_base_conf:
   version: 5  
   ldap:

roles/ldap2pg/files/ldap2pg_cacert.diff

@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/site-packages/ldap2pg/ldap.py.orig	2022-03-17 14:52:58.974806660 +0100
++++ /usr/lib/python2.7/site-packages/ldap2pg/ldap.py	2022-03-17 15:03:47.449618132 +0100
+@@ -293,6 +293,7 @@
+ 
+     if options.get('STARTTLS'):
+         logger.debug("Sending STARTTLS.")
++        conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/pki/tls/cert.pem')
+         conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+         conn.start_tls_s()
+ 

roles/ldap2pg/tasks/install.yml

@@ -4,6 +4,13 @@
   package: name={{ ldap2pg_packages }}
   tags: pg
 
+- name: Patch ldap2pg to specify global cacert
+  patch: src=ldap2pg_cacert.diff dest=/usr/lib/python2.7/site-packages/ldap2pg/ldap.py
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8', '<')
+  tags: pg
+
 - name: Install systemd unit
   template: src=ldap2pg.{{ item }}.j2 dest=/etc/systemd/system/ldap2pg.{{ item }}
   loop:
@@ -17,5 +24,5 @@
 
 - name: Reload systemd
   systemd: daemon_reload=True
-  when: ldap2Pg_units.results | selectattr('changed','equalto',True) | list | length > 0
+  when: ldap2pg_units.results | selectattr('changed','equalto',True) | list | length > 0
   tags: pg

roles/ldap2pg/tasks/services.yml

@@ -1,5 +1,5 @@
 ---
 
 - name: Handle ldap2pg timer
-  systemd: name=ldap2pg.timer state={{ (ldap2pg_sync_freq == 'never') | ternary('stopped', 'started') }} enabled={{ (ldap2pg_sync_freq == 'never') | ternary(False, True) }}
+  systemd: name=ldap2pg.timer state={{ ldap2pg_dry_mode | ternary('stopped', 'started') }} enabled={{ ldap2pg_dry_mode | ternary(False, True) }}
   tags: pg

roles/ldap2pg/templates/ldap2pg.service.j2

@@ -6,5 +6,5 @@ Type=oneshot
 PrivateTmp=yes
 User={{ ldap2pg_user }}
 Group={{ ldap2pg_user }}
-ExecStart=/bin/ldap2pg -c /etc/ldap2pg.yml --real
+ExecStart=/bin/ldap2pg -c /etc/ldap2pg.yml --{{ ldap2pg_dry_mode | ternary('dry', 'real') }}
 TimeoutSec=30m

roles/ldap2pg/templates/ldap2pg.timer.j2

@@ -2,7 +2,8 @@
 Description=Sync postgres role from LDAP
 
 [Timer]
-OnCalendar={{ (ldap2pg_sync_freq == 'never') | ternary('daily', ldap2pg_sync_freq) }}
+OnCalendar={{ ldap2pg_sync_freq }}
+RandomizedDelaySec=5m
 
 [Install]
 WantedBy=timers.target

roles/ldap2pg/vars/RedHat-7.yml

@@ -0,0 +1,6 @@
+---
+
+ldap2pg_packages:
+  - ldap2pg
+  - python-setuptools
+  - patch