---
- name: Check for marker line
  lineinfile:
    path: /etc/sssd/sssd.conf
    create: true
    state: present
    line: "# BEGIN ANSIBLE MANAGED BLOCK"
  register: marker_check

- name: Delete file if marker is absent
  file:
    path: /etc/sssd/sssd.conf
    state: absent
  when: marker_check.changed

- name: sssd config
  blockinfile:
    path: /etc/sssd/sssd.conf
    state: present
    create: true
    owner: "root"
    group: "root"
    mode: "0600"
    block: |
      [sssd]
      domains = default
      services = nss,pam,ssh
      
      [domain/default]
      id_provider = ldap
      ldap_uri = ldaps://ldap.neuro.uni-bremen.de:636
      ldap_search_base = dc=ldap,dc=neuro,dc=uni-bremen,dc=de
      
      ldap_user_name = uid
      ldap_user_uid_number = uidNumber
      ldap_user_gid_number = gidNumber
      ldap_user_home_directory = homeDirectory
      loginShell = loginShell
      ldap_user_fullname = cn
      ldap_user_object_class = posixAccount
      ldap_default_authtok_type = password
      ldap_tls_reqcert = never
      
      # ldap_auth_disable_tls_never_use_in_production = true
      # ldap_id_use_start_tls = False
  register: marker_check

- name: enable sssd
  shell: "/usr/bin/authselect select sssd --force"
  when: marker_check.changed

- name: Make sure sssd is updated
  systemd_service:
    daemon_reload: true
    state: restarted
    enabled: true
    name: sssd
  when: marker_check.changed