From 2c3d0688099f7b2925497ff8baafdd88b535ee58 Mon Sep 17 00:00:00 2001
From: Zolfa <zolfa@lilik.it>
Date: Sat, 16 May 2020 16:12:01 +0200
Subject: [PATCH] roles/ldap: fix acl to add user to groups

---
 roles/ldap/tasks/1_configure_server.yaml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/roles/ldap/tasks/1_configure_server.yaml b/roles/ldap/tasks/1_configure_server.yaml
index 5af5f43..76e41ed 100644
--- a/roles/ldap/tasks/1_configure_server.yaml
+++ b/roles/ldap/tasks/1_configure_server.yaml
@@ -147,18 +147,19 @@
         by self write
         by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
         by * none
-      # [1.1] -> Admins can list the full People tree
+      # [1.1] -> Admins can add/remove People entries
+      - >-
+        {2} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children
+        by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
+        by * none
+
+      # [1.2] -> Admins can list the full People tree
       #       -> Servers can perform search on People tree
       - >-
-        {2} to dn.exact=ou=People,{{ ldap_basedn }}
+        {3} to dn.exact=ou=People,{{ ldap_basedn }}
         by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read
         by dn.children=ou=Server,{{ ldap_basedn }} search
         by * none
-      # [1.2] -> Admins can add/remove People entries
-      - >-
-        {3} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children
-        by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
-        by * none
       # [1.3] -> Admins can edit all People attributes
       #       -> Servers can read all People attributes (except userPassword)
       #       -> People can read all their attributes