diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 7f078d4295619721c9fe54ea12eab07ab68784f8..8749894f3f1da0bc50e4d8bd91e242b967545212 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -782,7 +782,6 @@ Distribution compatibility Role is compatible with the following distributions: -- Debian 9 (Stretch) - Debian 10 (Buster) diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml index 5c376a29bedc9fc7b45a465f417199f0f0cef43f..97ade01ddb6d6645835f6eca37d937eb66fd4fd1 100644 --- a/roles/ldap_server/meta/main.yml +++ b/roles/ldap_server/meta/main.yml @@ -17,5 +17,4 @@ galaxy_info: platforms: - name: Debian versions: - - 9 - 10 diff --git a/roles/ldap_server/molecule/default/molecule.yml b/roles/ldap_server/molecule/default/molecule.yml index 1051a99ebbdcea5ad620cf32cf3472c04dc48d0d..74600135db5a2fa41641a0147f60cc011ad31e2d 100644 --- a/roles/ldap_server/molecule/default/molecule.yml +++ b/roles/ldap_server/molecule/default/molecule.yml @@ -20,32 +20,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.10 - network_name: private_network - type: static - - - name: parameters-mandatory-stretch64 - groups: - - parameters-mandatory - box: debian/contrib-stretch64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.22 - network_name: private_network - type: static - - - name: parameters-optional-stretch64 - groups: - - parameters-optional - - backup-server - box: debian/contrib-stretch64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.23 + ip: 192.168.56.10 network_name: private_network type: static @@ -57,7 +32,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.12 + ip: 192.168.56.12 network_name: private_network type: static @@ -70,7 +45,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.13 + ip: 192.168.56.13 network_name: private_network type: static diff --git a/roles/ldap_server/molecule/default/prepare.yml b/roles/ldap_server/molecule/default/prepare.yml index 19a471050a10d84f3961cfafc2bf61f5a491ea5e..f8d4868ba598ee6f94f201bff14d88234e741d07 100644 --- a/roles/ldap_server/molecule/default/prepare.yml +++ b/roles/ldap_server/molecule/default/prepare.yml @@ -23,10 +23,6 @@ - "{{ item.name }}" - "{{ item.fqdn }}" with_items: - - name: parameters-mandatory-stretch64_ldap - fqdn: parameters-mandatory - - name: parameters-optional-stretch64_ldap - fqdn: parameters-optional - name: parameters-mandatory-buster64_ldap fqdn: parameters-mandatory - name: parameters-optional-buster64_ldap @@ -83,10 +79,8 @@ mode: 0644 state: present with_dict: - 10.31.127.22: parameters-mandatory-stretch64 - 10.31.127.23: parameters-optional-stretch64 - 10.31.127.12: parameters-mandatory-buster64 - 10.31.127.13: parameters-optional-buster64 + 192.168.56.12: parameters-mandatory-buster64 + 192.168.56.13: parameters-optional-buster64 - hosts: parameters-optional become: true diff --git a/roles/ldap_server/molecule/default/tests/test_mandatory.py b/roles/ldap_server/molecule/default/tests/test_mandatory.py index 47d0bf1ac4782fa18d5d07387570f3ccca4b9130..251893e7c7783493c8cb54fa5563a3e63831627c 100644 --- a/roles/ldap_server/molecule/default/tests/test_mandatory.py +++ b/roles/ldap_server/molecule/default/tests/test_mandatory.py @@ -75,27 +75,14 @@ def test_tls_version_and_ciphers(host): expected_tls_versions = ["TLSv1.2"] - # @TODO: Under Debian Stretch, the DHE ciphers are not usable due - # to a bug present in OpenLDAP 2.4.44. See - # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979 - # for details. - expected_tls_ciphers = { - "stretch": [ - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ], - "buster": [ - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - ] - } - - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] + expected_tls_ciphers = [ + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + ] # Run the nmap scanner against the LDAP server, and fetch the # results. @@ -118,7 +105,7 @@ def test_tls_version_and_ciphers(host): tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions - assert tls_ciphers == expected_tls_ciphers[distribution_release] + assert tls_ciphers == expected_tls_ciphers def test_ssf_configuration(host): diff --git a/roles/ldap_server/molecule/default/tests/test_optional.py b/roles/ldap_server/molecule/default/tests/test_optional.py index d7f32dc9464fde40c60f93ef2f0b614e6198852f..11f196b93e58dae612afb86adebe8b3fd8b69959 100644 --- a/roles/ldap_server/molecule/default/tests/test_optional.py +++ b/roles/ldap_server/molecule/default/tests/test_optional.py @@ -77,37 +77,20 @@ def test_tls_version_and_ciphers(host): expected_tls_versions = ["TLSv1.1", "TLSv1.2"] - # @TODO: Under Debian Stretch, the DHE ciphers are not usable due - # to a bug present in OpenLDAP 2.4.44. See - # https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1656979 - # for details. It should be possible to fix this problem once - # switch to buster is mad.e - expected_tls_ciphers = { - "stretch": [ - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ], - "buster": [ - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", - "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - ] - } - - distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"] + expected_tls_ciphers = [ + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + ] # Run the nmap scanner against the LDAP server, and fetch the # results. @@ -130,7 +113,7 @@ def test_tls_version_and_ciphers(host): tls_ciphers = sorted(list(tls_ciphers)) assert tls_versions == expected_tls_versions - assert tls_ciphers == expected_tls_ciphers[distribution_release] + assert tls_ciphers == expected_tls_ciphers def test_ssf_configuration(host):