interfaces:

        - network_name: private_network

          type: static

          ip: 10.31.127.10

          auto_config: yes

      interfaces:

        - network_name: private_network

          type: static

          ip: 10.31.127.11

          auto_config: yes

    - name: client

      interfaces:

        - network_name: private_network

          type: static

          ip: 10.31.127.12

          auto_config: yes

      # ldap_client

      ldap_client_config:

        - comment: CA truststore

          option: TLS_CACERT

          value: /etc/ssl/certs/testca.cert.pem

        - comment: Ensure TLS is enforced

          option: TLS_REQCERT

          value: demand

        - server: parameters-optional

      ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

        - comment: CA truststore

- hosts: client

  tasks:

    - name: Install tool for teting TCP connectivity

      apt:

        name: hping3

        state: installed

  debconf: name=slapd question=shared/organization vtype=string value="{{ ldap_server_organization }}"

  template:

    src: "ldap_tls_key.j2"

    dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"

    mode: 0640

    owner: root

    group: openldap

  template:

    src: "ldap_tls_cert.j2"

    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"

    mode: 0644

    owner: root

    group: root

{{ ldap_server_tls_certificate }}

{{ ldap_server_tls_key }}

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('parameters-optional')

def test_database_dump_directory(File, Sudo):

    """

    Tests configuration of the directory where database dumps are stored prior

    to running backup.

    """

    with Sudo():

        directory = File('/srv/backup')

        assert directory.is_directory

        assert directory.user == 'root'

        assert directory.group == 'root'

        assert directory.mode == 0o700

def test_database_dump_script(File, Sudo):

    """

    Tests if database dump script is deployed correctly.

    """

    with Sudo():

        script = File('/etc/duply/main/pre.d/ldapdump.sh')

        assert script.is_file

        assert script.user == 'root'

        assert script.group == 'root'

        assert script.mode == 0o700

def test_backup(Command, File, Sudo):

    """

    Tests if LDAP directory is correctly backed-up.

    """

    with Sudo():

        # Remove restore directory in order to make sure restore has worked

        # correctly.

        Command("rm -rf /root/restore")

        backup_run = Command('duply main backup')

        assert backup_run.rc == 0

        database_dump = File('/srv/backup/slapd.bak')

        assert database_dump.is_file

        assert 'dn: dc=local' in database_dump.content

        restore_run = Command('duply main restore /root/restore')

        assert restore_run.rc == 0

        restored_database_dump = File('/root/restore/srv/backup/slapd.bak')

        assert restored_database_dump.is_file

        assert restored_database_dump.content == database_dump.content

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('client')

def test_connectivity(Command, Sudo):

    with Sudo():

        ping = Command('hping3 -S -p 389 -c 1 10.31.127.10')

        assert ping.rc == 0

        ping = Command('hping3 -S -p 636 -c 1 10.31.127.10')

        assert ping.rc == 0

        ping = Command('hping3 -S -p 389 -c 1 10.31.127.11')

        assert ping.rc == 0

        ping = Command('hping3 -S -p 636 -c 1 10.31.127.11')

        assert ping.rc == 0

testinfra_hosts.remove("client")

def test_installed_packages(Package):

    """

    Tests if all the necessary packages have been installed.

    """

    assert Package('slapd').is_installed

    assert Package('python-ldap').is_installed

def test_ldap_user_group(User):

    """

    Tests if LDAP server user is part of group that allows it to traverse TLS

    private keys directory.

    """

    assert "ssl-cert" in User('openldap').groups

def test_ldap_server_service_sockets_and_ports(Socket):

    """

    Tests if LDAP server has been configured to listen on correct sockets.

    """

    assert Socket('tcp://389').is_listening

    assert Socket('tcp://636').is_listening

    assert Socket('unix:///var/run/slapd/ldapi').is_listening

def test_ldap_server_service(Service):

    """

    Tests if the LDAP service is enabled and running.

    """

    service = Service('slapd')

    assert service.is_enabled

    assert service.is_running

def test_syslog_configuration(File, Sudo):

    """

    Tests if syslog configuration file has been deployed, and log file was

    created correctly (and is being logged to).

    """

    config = File('/etc/rsyslog.d/slapd.conf')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    with Sudo():

        log = File('/var/log/slapd.log')

        assert log.is_file

        assert 'slapd' in log.content

def test_log_rotation_configuration(File, Command, Sudo):

    """

    Tests if log rotation configuration file has been deployed correctly and has

    valid syntax.

    """

    config = File('/etc/logrotate.d/slapd')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    with Sudo():

        assert Command('logrotate /etc/logrotate.d/slapd').rc == 0

def test_misc_schema_presence(Command, Sudo):

    """

    Tests if the misc LDAP schema has been imported.

    """

    with Sudo():

        misc_schema = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert misc_schema.rc == 0

        assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout

def test_memberof_module(Command, Sudo):

    """

    Tests if the memberof overlay has been enabled for the main database.

    """

    with Sudo():

        memberof = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert memberof.rc == 0

        assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout

def test_basic_directory_structure(Command, Sudo):

    """

    Tests if the base LDAP directory structure has been set-up correctly.

    """

    with Sudo():

        ous = ["people", "groups", "services"]

        for ou in ous:

            entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou)

            assert entry.rc == 0

            assert entry.stdout == """dn: ou=%(ou)s,dc=local

objectClass: organizationalUnit

ou: %(ou)s""" % {'ou': ou}

def test_mail_service_entries(Command, Sudo):

    """

    Tests if the mail service entries have been set-up correctly.

    """

    with Sudo():

        entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=mail,ou=services,dc=local')

        assert entry.rc == 0

        assert entry.stdout == """dn: ou=mail,ou=services,dc=local

objectClass: organizationalUnit

ou: mail"""

        entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=domains,ou=mail,ou=services,dc=local')

        assert entry.rc == 0

        assert entry.stdout == """dn: ou=domains,ou=mail,ou=services,dc=local

objectClass: organizationalUnit

ou: domains"""

        entry = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=aliases,ou=mail,ou=services,dc=local')

        assert entry.rc == 0

        assert entry.stdout == """dn: ou=aliases,ou=mail,ou=services,dc=local

objectClass: organizationalUnit

ou: aliases"""

def test_firewall_configuration_file(File, Sudo):

    """

    Tests if firewall configuration file has been deployed correctly.

    """

    with Sudo():

        config = File('/etc/ferm/conf.d/10-ldap.conf')

        assert config.is_file

        assert config.user == 'root'

        assert config.group == 'root'

        assert config.mode == 0o640

def test_admin_password(Command):

    """

    Tests if administrator password has been set correctly.

    """

    login = Command("ldapwhoami -H ldapi:/// -x -w adminpassword -D cn=admin,dc=local")

    assert login.rc == 0

    assert login.stdout == "dn:cn=admin,dc=local"

def test_temporary_admin_password_file_not_present(File, Sudo):

    """

    Tests if the file that temporarily contains the LDAP adminstrator password

    has been removed.

    """

    with Sudo():

        assert not File('/root/.ldap_admin_password').exists

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('parameters-mandatory.local')

def test_base_entry(Command, Sudo):

    """

    Tests if the base entry has been created correctly.

    """

    with Sudo():

        base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

        assert base_dn.rc == 0

        assert "dc: local" in base_dn.stdout.split("\n")

        assert "o: Private" in base_dn.stdout.split("\n")

def test_log_level(Command, Sudo):

    """

    Tests if the logging level has been set correctly.

    """

    with Sudo():

        log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

        assert log_level.rc == 0

        assert 'olcLogLevel: 256' in log_level.stdout

def test_ldap_tls_private_key_file(File, Sudo):

    """

    Tests if the TLS private key has been deployed correctly.

    """

    with Sudo():

        key = File('/etc/ssl/private/parameters-mandatory.local_ldap.key')

        assert key.is_file

        assert key.user == 'root'

        assert key.group == 'openldap'

        assert key.mode == 0o640

        assert key.content == open('tests/data/x509/parameters-mandatory.local_ldap.key').read().rstrip()

def test_ldap_tls_certificate_file(File, Sudo):

    """

    Tests if the TLS certificate has been deployed correctly.

    """

    with Sudo():

        cert = File('/etc/ssl/certs/parameters-mandatory.local_ldap.pem')

        assert cert.is_file

        assert cert.user == 'root'

        assert cert.group == 'root'

        assert cert.mode == 0o644

        assert cert.content == open('tests/data/x509/parameters-mandatory.local_ldap.pem').read().rstrip()

def test_certificate_validity_check_configuration(File):

    """

    Tests if certificate validity check configuration file has been deployed

    correctly.

    """

    config = File('/etc/check_certificate/parameters-mandatory.local_ldap.conf')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    assert config.content == "/etc/ssl/certs/parameters-mandatory.local_ldap.pem"

def test_tls_configuration(Command):

    """

    Tests if the TLS has been configured correctly and works.

    """

    starttls = Command('ldapwhoami -Z -x -H ldap://parameters-mandatory.local/')

    assert starttls.rc == 0

    assert starttls.stdout == 'anonymous'

    tls = Command('ldapwhoami -x -H ldaps://parameters-mandatory.local/')

    assert tls.rc == 0

    assert tls.stdout == 'anonymous'

    old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-mandatory:636")

    assert old_tls_versions_disabled.rc != 0

    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-mandatory:636")

    assert cipher.rc == 0

    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA -connect parameters-mandatory:636")

    assert cipher.rc != 0

    assert "ECDHE-RSA-AES128-SHA" not in cipher.stdout

def test_ssf_configuration(Command, Sudo):

    """

    Tests if the SSF olcSecurity configuration has been set-up correctly.

    """

    with Sudo():

        ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')

        assert ssf.rc == 0

        assert "olcSecurity: ssf=128" in ssf.stdout

def test_permissions(Command, Sudo):

    """

    Tests if LDAP directory permissions have been set-up correctly.

    """

    with Sudo():

        permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")

        expected_permissions = """olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by dn="cn=admin,dc=local" manage by * break

olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none

olcAccess: {2}to dn.base="" by * read

olcAccess: {3}to * by self write by dn="cn=admin,dc=local" write by users read by * none"""

        assert permissions.rc == 0

        assert expected_permissions in permissions.stdout

def test_services_login_entries(Command, Sudo):

    """

    Tests if the service/consumer login entries have been set correctly.

    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")

        assert entries.rc == 0

        assert entries.stdout == ""

def test_group_entries(Command, Sudo):

    """

    Tests that no group entries have been created out-of-the-box.

    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")

        assert entries.rc == 0

        assert entries.stdout == ""

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    '.molecule/ansible_inventory').get_hosts('parameters-optional')

def test_base_entry(Command, Sudo):

    """

    Tests if the base entry has been created correctly.

    """

    with Sudo():

        base_dn = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local -s base")

        assert base_dn.rc == 0

        assert "dc: local" in base_dn.stdout.split("\n")

        assert "o: Example" in base_dn.stdout.split("\n")

def test_log_level(Command, Sudo):

    """

    Tests if the logging level has been set correctly.

    """

    with Sudo():

        log_level = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config -s base olcLogLevel')

        assert log_level.rc == 0

        assert 'olcLogLevel: 0' in log_level.stdout

def test_ldap_tls_private_key_file(File, Sudo):

    """

    Tests if the TLS private key has been deployed correctly.

    """

    with Sudo():

        key = File('/etc/ssl/private/parameters-optional_ldap.key')

        assert key.is_file

        assert key.user == 'root'

        assert key.group == 'openldap'

        assert key.mode == 0o640

        assert key.content == open('tests/data/x509/parameters-optional.key.pem').read().rstrip()

def test_ldap_tls_certificate_file(File, Sudo):

    """

    Tests if the TLS certificate has been deployed correctly.

    """

    with Sudo():

        cert = File('/etc/ssl/certs/parameters-optional_ldap.pem')

        assert cert.is_file

        assert cert.user == 'root'

        assert cert.group == 'root'

        assert cert.mode == 0o644

        assert cert.content == open('tests/data/x509/parameters-optional.cert.pem').read().rstrip()

def test_certificate_validity_check_configuration(File):

    """

    Tests if certificate validity check configuration file has been deployed

    correctly.

    """

    config = File('/etc/check_certificate/parameters-optional_ldap.conf')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    assert config.content == "/etc/ssl/certs/parameters-optional_ldap.pem"

def test_tls_configuration(Command):

    """

    Tests if the TLS has been configured correctly and works.

    """

    ldap_starttls = Command('ldapwhoami -Z -x -H ldap://parameters-optional/')

    assert ldap_starttls.rc == 0

    assert ldap_starttls.stdout == 'anonymous'

    ldap_tls = Command('ldapwhoami -x -H ldaps://parameters-optional/')

    assert ldap_tls.rc == 0

    assert ldap_tls.stdout == 'anonymous'

    old_tls_versions_disabled = Command("echo 'Q' | openssl s_client -no_tls1_2 -connect parameters-optional:636")

    assert old_tls_versions_disabled.rc == 0

    assert "CONNECTED" in old_tls_versions_disabled.stdout

    cipher = Command("echo 'Q' | openssl s_client -cipher ECDHE-RSA-AES128-SHA256 -connect parameters-optional:636")

    assert cipher.rc == 0

    assert "ECDHE-RSA-AES128-SHA256" in cipher.stdout

    cipher = Command("echo 'Q' | openssl s_client -tls1_1 -cipher ECDHE-RSA-AES128-SHA -connect parameters-optional:636")

    assert cipher.rc == 0

    assert "ECDHE-RSA-AES128-SHA" in cipher.stdout

def test_ssf_configuration(Command, Sudo):

    """

    Tests if the SSF olcSecurity configuration has been set-up correctly.

    """

    with Sudo():

        ssf = Command('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config olcSecurity')

        assert ssf.rc == 0

        assert "olcSecurity: ssf=0" in ssf.stdout

def test_permissions(Command, Sudo):

    """

    Tests if LDAP directory permissions have been set-up correctly.

    """

    with Sudo():

        permissions = Command("ldapsearch -o ldif-wrap=no -H ldapi:/// -Q -LLL -Y EXTERNAL -b 'olcDatabase={1}mdb,cn=config' -s base olcAccess olcAccess")

        expected_permissions = "olcAccess: {0}to * " \

                               "by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage " \

                               "by self write by * read by dn=\"cn=admin,dc=local\" write " \

                               "by * none"

        assert permissions.rc == 0

        assert expected_permissions in permissions.stdout

def test_services_login_entries(Command, Sudo):

    """

    Tests if the service/consumer login entries have been set correctly.

    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=services,dc=local '(objectClass=simpleSecurityObject)'")

        assert entries.rc == 0

        assert entries.stdout == """dn: cn=consumer1,ou=services,dc=local

objectClass: applicationProcess

objectClass: simpleSecurityObject

userPassword:: Y29uc3VtZXIxcGFzc3dvcmQ=

cn: consumer1

dn: cn=consumer2,ou=services,dc=local

objectClass: applicationProcess

objectClass: simpleSecurityObject

userPassword:: Y29uc3VtZXIycGFzc3dvcmQ=

cn: consumer2"""

def test_group_entries(Command, Sudo):

    """

    Tests that no group entries have been created out-of-the-box.

    """

    with Sudo():

        entries = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s one -b ou=groups,dc=local '(objectClass=groupOfUniqueNames)'")

        assert entries.rc == 0

        assert entries.stdout == """dn: cn=group1,ou=groups,dc=local

objectClass: groupOfUniqueNames

uniqueMember: cn=NONE

cn: group1

dn: cn=group2,ou=groups,dc=local

objectClass: groupOfUniqueNames

uniqueMember: cn=NONE

cn: group2"""

def test_user_supplied_entries(Command, Sudo):

    """

    Tests if user-supplied entries are created correctly.

    """

    with Sudo():

        john_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=john,dc=local")

        assert john_doe.rc == 0

        assert john_doe.stdout == """dn: uid=john,dc=local

objectClass: inetOrgPerson

objectClass: simpleSecurityObject

userPassword:: am9obnBhc3N3b3Jk

cn: John Doe

sn: Doe

uid: john"""

        jane_doe = Command("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b uid=jane,dc=local")

        assert jane_doe.rc == 0

        assert jane_doe.stdout == """dn: uid=jane,dc=local

objectClass: inetOrgPerson

objectClass: simpleSecurityObject

userPassword:: amFuZXBhc3N3b3Jk

cn: Jane Doe

sn: Doe

uid: jane"""