Add missing ACI and role to LDAP seeds

app/services/ldap_service.rb

@@ -17,7 +17,7 @@ class LdapService < ApplicationService
     res
   end
 
-  def delete_all_entries
+  def delete_all_entries!
     if Rails.env.production?
       raise "Mass deletion of entries not allowed in production"
     end
@@ -90,6 +90,26 @@ class LdapService < ApplicationService
     add_entry dn, attrs, interactive
   end
 
+  def reset_directory!
+    if Rails.env.production?
+      raise "Resetting the directory not allowed in production"
+    end
+
+    delete_all_entries!
+
+    user_read_aci = <<-EOS
+(target="ldap:///#{@suffix}")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
+    EOS
+
+    add_entry @suffix, {
+      dc: "kosmos", objectClass: ["top", "domain"], aci: user_read_aci
+    }, true
+
+    add_entry "cn=users,#{@suffix}", {
+       cn: "users", objectClass: ["top", "organizationalRole"]
+    }, true
+  end
+
   private
 
   def ldap_client