Add missing ACI and role to LDAP seeds

lib/tasks/ldap.rake

@@ -1,18 +1,20 @@
 namespace :ldap do
-  desc "Set up base entries for LDAP directory"
+  desc "Reset the LDAP directory and set up base entries and default org"
   task seed: :environment do |t, args|
     ldap = LdapService.new
 
-    ldap.delete_all_entries
-
-    ldap.add_entry "dc=kosmos,dc=org", {
-      dc: "kosmos", objectClass: ["top", "domain"]
-    }, true
-    ldap.add_entry "cn=users,dc=kosmos,dc=org", {
-       cn: "users", objectClass: ["top", "organizationalRole"]
-    }, true
+    # Delete all existing entries and re-add base entries
+    ldap.reset_directory!
 
     ldap.add_organization "kosmos.org", "Kosmos", true
+
+    # add admin role
+    ldap.add_entry "cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org", {
+      objectClass: %w{top LDAPsubentry nsRoleDefinition nsComplexRoleDefinition nsFilteredRoleDefinition},
+      cn: "admin_role",
+      nsRoleFilter: "(&(objectclass=person)(admin=true))",
+      description: "filtered role for admins"
+    }, true
   end
 
   desc "List user domains/organizations"