diff --git a/roles/ldap_server/playbook.yml b/roles/ldap_server/playbook.yml new file mode 100644 index 0000000000000000000000000000000000000000..6c5847d3999cf876ec6ac4accbb0a1b3e95fdfa2 --- /dev/null +++ b/roles/ldap_server/playbook.yml @@ -0,0 +1,118 @@ +--- + +- hosts: all + tasks: + + - name: Update all caches to avoid errors due to missing remote archives + apt: + update_cache: yes + +- hosts: parameters-mandatory.local + roles: + - role: ldap_server + ldap_admin_password: adminpassword + + # common vars (not the role, global common) + tls_private_key_dir: tests/data/x509/ + tls_certificate_dir: tests/data/x509/ + +- hosts: parameters-optional + roles: + - role: backup_server + backup_host_ssh_private_keys: + dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}" + rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}" + ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}" + ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" + backup_clients: + - server: backup + ip: 127.0.0.1 + public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" + +- hosts: parameters-optional + roles: + - role: ldap_server + ldap_admin_password: adminpassword + ldap_entries: + - dn: uid=john,dc=local + attributes: + objectClass: + - inetOrgPerson + - simpleSecurityObject + userPassword: johnpassword + uid: john + cn: John Doe + sn: Doe + - dn: uid=jane,dc=local + attributes: + objectClass: + - inetOrgPerson + - simpleSecurityObject + userPassword: janepassword + uid: jane + cn: Jane Doe + sn: Doe + + ldap_permissions: + - > + to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by self write + by * read + by dn="cn=admin,dc=local" write + by * none + + ldap_server_consumers: + - name: consumer1 + password: consumer1password + - name: consumer2 + password: consumer2password + state: present + - name: consumer3 + password: consumer3password + state: absent + + ldap_server_groups: + - name: group1 + - name: group2 + state: present + - name: group3 + state: absent + + ldap_server_domain: "local" + ldap_server_organization: "Example" + ldap_server_log_level: 0 + ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional.cert.pem') }}" + ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional.key.pem') }}" + ldap_server_ssf: 0 + ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL" + + # ldap_client + ldap_client_config: + - comment: Set-up CA truststore + option: TLS_CACERT + value: /etc/ssl/certs/testca.cert.pem + - comment: Ensure TLS is enforced + option: TLS_REQCERT + value: demand + + # backup_client + enable_backup: yes + backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" + backup_server: localhost + backup_server_host_ssh_public_keys: + - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" + - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}" + backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}" + +- hosts: all + tasks: + - name: Deploy CA certificate + copy: + src: tests/data/x509/ca.cert.pem + dest: /etc/ssl/certs/testca.cert.pem + owner: root + group: root + mode: 0644