{% for map in item.0.auth.role_map | sort(attribute='priority') %}
LDAP Auth {{ map.role }}:
  type: External
  label: LDAP Authentication {{ map.role }}
  description: Authenticate {{ map.role }} against an LDAP server
  role: {{ map.role }}
  command: {{ pki_root_dir }}/bin/openxpki-auth-ldap -H {{ item.0.auth.ldap_uri }} -b {{ item.0.auth.ldap_base }} {{ item.0.auth.ldap_start_tls | ternary('--starttls ','') }}-U LOGIN -P PASSWD --extra-filter='{{ map.filter }}' --user-attr={{ item.0.auth.ldap_user_attr }} {% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}-D BIND_DN -W BIND_PASS{% endif %} 
  env:
    PERL5LIB: {{ pki_root_dir }}/lib/perl5
    LOGIN: __USER__
    PASSWD: __PASSWD__
{% if item.0.auth.ldap_bind_dn is defined and item.0.auth.ldap_bind_pass is defined %}
    BIND_DN: {{ item.0.auth.ldap_bind_dn }}
    BIND_PASS: '{{ item.0.auth.ldap_bind_pass }}'
{% endif %}

{% endfor %}

System:
  type: Anonymous
  label: System
  role: System