pushing new content

Former-commit-id: 0786de7b

CICD/plays/mockldap.yml

+---
+- hosts: SQLNodes
+  vars_files: 
+  - vars/passwords.yml
+  - vars/ldapConfig.yml
+  gather_facts: true
+  tasks:
+  - include_vars: vars/passwords.yml
+  roles:
+  - { role: ldapservertest
+    , tags: [ ldapserver ], become: true }
+    
+#- hosts: ComputeNodes, LoginNodes
+#  vars_files: 
+#  - vars/passwords.yml
+#  - vars/ldapConfig.yml
+#  gather_facts: true
+#  tasks:
+#  - include_vars: vars/passwords.yml
+#  roles:
+#  - { role: ldapclient, ssl: false
+#    , tags: [ ldapclient ] }
\ No newline at end of file

roles/ldapserver/vars/CentOS_7.6_x86_64.yml

+---
+ system_packages:
+  - openldap-servers
+  - openldap-clients
+  - openssl
+ ldapuser:  ldap
+ ldapgroup: ldap
+ dbname: olcDatabase={2}hdb

roles/ldapservertest/.molecule/ansible_inventory

+[all]
+test-role-vagrant ansible_host=127.0.0.1 ansible_port=2222 ansible_ssh_private_key_file="/home/jooho/.vagrant.d/insecure_private_key" ansible_user=vagrant
+
+[group1]
+test-role-vagrant

roles/ldapservertest/.molecule/state.yml

+---
+converged: null
+created: true
+default_platform: null
+default_provider: null
+driver: vagrant
+driver_config:
+  current_platform: ubuntu
+  current_provider: virtualbox
+  instances:
+  - ansible_groups:
+    - group1
+    name: test-role-vagrant
+    vm_name: test-role-vagrant
+  platforms:
+  - box: centos/7
+    name: centos
+  - box: fedora/25-cloud-base
+    name: fedora
+  - box: ubuntu/trusty64
+    name: ubuntu
+  providers:
+  - name: virtualbox
+    options:
+      cpus: 2
+      memory: 512
+    type: virtualbox
+  raw_config_args:
+  - ssh.insert_key = false
+hosts:
+  test-role-vagrant:
+    groups:
+    - group1
+multiple_platforms: null

roles/ldapservertest/README.md

+https://github.com/Jooho/ansible-role-openldap-test-server
+
+Ansible Role: OpenLDAP Test Server
+=========
+
+This role install OpenLDAP server and put some data for test purpose.
+
+Requirements
+------------
+None
+
+Role Variables
+--------------
+
+| Name                      | Default value                         |        Requird       | Description                                                                 |
+|---------------------------|---------------------------------------|----------------------|-----------------------------------------------------------------------------|
+| temp_dir                  | /tmp/test-openldap-server             |         no           | Temp directory                                                              |
+| ldap_http_port            | 389                                   |         no           | LDAP HTTP Port                                                              |
+| ldap_https_port           | 636                                   |         no           | If ssl set true, LDAP HTTPS Port will be set                                |
+| clean_all                 | true                                  |         no           | LDAP Data reset                                                             |
+| ssl                       | false                                 |         no           | Enable SSL for LDAP Server                                                  |
+| ssl_ca_cert               | ''                                    |         no           | CA Certificate. If ssl set true, this value must be set                     |
+| ssl_cert                  | ''                                    |         no           | Server Certificate. If ssl set true, this value must be set                 |
+| ssl_private_key           | ''                                    |         no           | Server Private Key. If ssl set true, this value must be set                 |
+
+
+Dependencies
+------------
+
+None
+
+
+
+Example Playbook
+----------------
+~~~
+- name: Example Playbook
+  hosts: ldap.example.com
+  gather_facts: false
+
+  roles:
+    - { role: Jooho.openldap-test-server }
+~~~
+
+Information
+-----------
+- LDAP Password: redhat
+
+- LDAP Bind DN: cn=read-only-admin,dc=example,dc=com
+
+- LDAP Base DN: dc=example,dc=com
+
+**LDAP Test Data**
+
+|       Group     |      CN     |    OU    |    PW    |                  CN raw                    |
+|-----------------|-------------|----------|----------|--------------------------------------------|
+|  Administrators | Sue Jacobs  |  People  |  redhat  | cn=Sue Jacobs,ou=People,dc=example,dc=com  | 
+|  Administrators | Pete Minsky |  People  |  redhat  | cn=Pete Minsky,ou=People,dc=example,dc=com | 
+|  Developers     | Jooho Lee   |  People  |  redhat  | cn=Jooho Lee,ou=People,dc=example,dc=com   |
+
+
+Client Configuration
+--------------------
+The root-ca.cert.pem file will be found on ldap server vm
+
+```
+TLS_CACERTDIR /etc/openldap/cacerts
+TLS_CACERT    /etc/openldap/certs/root-ca.cert.pem
+TLS_REQCERT allow
+```
+
+
+Useful Commands
+----------------
+```
+
+ldapadd -x -w redhat -D "cn=read-only-admin,dc=example,dc=com" -f base.ldif
+
+ldapsearch -v -H ldaps://ldap.example.com -D "cn=read-only-admin,dc=example,dc=com" -w "redhat" -b "dc=example,dc=com" -o ldif-wrap=no   -vvvv
+
+ldapmodify -h ldap.example.com -p 389 -D "cn=read-only-admin,dc=example,dc=com" -f user-passwd.ldif -w redhat
+
+ldapdelete -H ldaps://ldap.example.com -D "cn=read-only-admin,dc=example,dc=com" "cn=Sue Jacobs,ou=People,dc=example,dc=com" -w redhat -vvv
+
+```
+
+
+
+References
+----------
+- [Install OpenLDAP on CentOS7](http://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html)
+
+- [External LDAP Test Server](http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/)
+
+
+
+License
+-------
+
+BSD/MIT
+
+Author Information
+------------------
+
+This role was created in 2017 by [Jooho Lee](http://github.com/jooho).
+

roles/ldapservertest/defaults/main.yml

+---
+# defaults file for ansible-role-test-openldap-server
+
+temp_dir: /tmp/test-openldap-server
+ldap_http_port: 389
+ldap_https_port: 636
+clean_all: true
+ssl: false
+ssl_ca_cert: ''
+ssl_cert: ''
+ssl_private_key: ''

roles/ldapservertest/files/base.ldif

+
+# example.com
+dn: dc=example,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: example.com
+dc: example
+
+# Group - People
+dn: ou=People,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: organizationalUnit
+ou: People
+ou: Marketing
+
+
+# Group - Groups
+dn: ou=Groups,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: organizationalUnit
+ou: Groups
+
+# Group - Groups-> Administrators
+dn: cn=Administrators,ou=Groups,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: groupOfNames
+member: cn=Sue Jacobs,ou=People,dc=example,dc=com
+member: cn=Pete Minsky,ou=People,dc=example,dc=com
+cn: Administrators
+
+# Group - Groups-> Developers
+dn: cn=Developers,ou=Groups,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: groupOfNames
+member: cn=Jooho Lee,ou=People,dc=example,dc=com
+cn: Developers
+
+# Person - People -> Jooho
+dn: cn=Jooho Lee,ou=People,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Jooho Lee
+givenName: Jooho
+sn: Lee
+ou: People
+ou: Development
+uid: jlee
+
+# Person - People -> Pete Minsky
+dn: cn=Pete Minsky,ou=People,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Pete Minsky
+givenName: Pete
+sn: Minsky
+ou: People
+ou: Marketing
+uid: pminsky
+
+# Person - People -> Sue Jacobs
+dn: cn=Sue Jacobs,ou=People,dc=example,dc=com
+changetype: add
+objectclass: top
+objectclass: person
+objectclass: organizationalPerson
+objectclass: inetOrgPerson
+cn: Sue Jacobs
+givenName: Sue
+sn: Jacobs
+ou: People
+ou: Marketing
+uid: sjacobs
+
+#dn: cn=accounts,ou=groups,dc=example,dc=com
+#objectClass: top
+#objectClass: posixGroup
+#gidNumber: 6001
+
+# LDAP group
+dn: cn=group1,ou=groups,dc=example,dc=com
+cn: group1
+gidnumber: 10004
+memberuid: user1
+objectclass: posixGroup
+objectclass: top
+
+
+dn: uid=user1,ou=People,dc=example,dc=com
+uid: user1
+cn: My name is user1
+objectClass: posixAccount
+objectClass: top
+objectClass: shadowAccount
+objectClass: iNetOrgPerson
+mail: testuser@foo.bar
+sn: user1
+userPassword: {SHA}PHZ8Qa+xKtoUAZDtgts/2TDi76M=
+shadowLastChange: 14791
+shadowMax: 99999
+shadowWarning: 7
+loginShell: /bin/bash
+uidNumber: 6001
+gidNumber: 100
+homeDirectory: /home/user1
+gecos: My name is user1
\ No newline at end of file

roles/ldapservertest/files/users-passwd.ldif

+dn: cn=Pete Minsky,ou=People,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: redhat
+
+dn: cn=Sue Jacobs,ou=People,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: redhat
+
+dn: cn=Jooho Lee,ou=People,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: redhat

roles/ldapservertest/meta/main.yml

+galaxy_info:
+  author: jooho lee
+  description: This role install OpenLDAP server and put some data for test purpose.
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: BSD/MIT
+
+  min_ansible_version: 1.2
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If travis integration is cofigured, only notification for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # Below are all platforms currently available. Just uncomment
+  # the ones that apply to your role. If you don't see your
+  # platform on this list, let us know and we'll get it added!
+  #
+  platforms:
+  - name: EL
+    versions:
+  #  - all
+  #  - 5
+    - 6
+    - 7
+  #- name: GenericUNIX
+  #  versions:
+  #  - all
+  #  - any
+  #- name: OpenBSD
+  #  versions:
+  #  - all
+  #  - 5.6
+  #  - 5.7
+  #  - 5.8
+  #  - 5.9
+  #  - 6.0
+  - name: Fedora
+    versions:
+    - all
+  #  - 16
+  #  - 17
+  #  - 18
+  #  - 19
+  #  - 20
+  #  - 21
+  #  - 22
+  #  - 23
+  #- name: opensuse
+  #  versions:
+  #  - all
+  #  - 12.1
+  #  - 12.2
+  #  - 12.3
+  #  - 13.1
+  #  - 13.2
+  #- name: MacOSX
+  #  versions:
+  #  - all
+  #  - 10.10
+  #  - 10.11
+  #  - 10.12
+  #  - 10.7
+  #  - 10.8
+  #  - 10.9
+  #- name: IOS
+  #  versions:
+  #  - all
+  #  - any
+  #- name: Solaris
+  #  versions:
+  #  - all
+  #  - 10
+  #  - 11.0
+  #  - 11.1
+  #  - 11.2
+  #  - 11.3
+  #- name: SmartOS
+  #  versions:
+  #  - all
+  #  - any
+  #- name: eos
+  #  versions:
+  #  - all
+  #  - Any
+  #- name: Windows
+  #  versions:
+  #  - all
+  #  - 2012R2
+  #- name: Amazon
+  #  versions:
+  #  - all
+  #  - 2013.03
+  #  - 2013.09
+  #- name: GenericBSD
+  #  versions:
+  #  - all
+  #  - any
+  #- name: Junos
+  #  versions:
+  #  - all
+  #  - any
+  #- name: FreeBSD
+  #  versions:
+  #  - all
+  #  - 10.0
+  #  - 10.1
+  #  - 10.2
+  #  - 10.3
+  #  - 8.0
+  #  - 8.1
+  #  - 8.2
+  #  - 8.3
+  #  - 8.4
+  #  - 9.0
+  #  - 9.1
+  #  - 9.1
+  #  - 9.2
+  #  - 9.3
+  #- name: Ubuntu
+  #  versions:
+  #  - all
+  #  - lucid
+  #  - maverick
+  #  - natty
+  #  - oneiric
+  #  - precise
+  #  - quantal
+  #  - raring
+  #  - saucy
+  #  - trusty
+  #  - utopic
+  #  - vivid
+  #  - wily
+  #  - xenial
+  #- name: SLES
+  #  versions:
+  #  - all
+  #  - 10SP3
+  #  - 10SP4
+  #  - 11
+  #  - 11SP1
+  #  - 11SP2
+  #  - 11SP3
+  #  - 11SP4
+  #  - 12
+  #  - 12SP1
+  #- name: GenericLinux
+  #  versions:
+  #  - all
+  #  - any
+  #- name: NXOS
+  #  versions:
+  #  - all
+  #  - any
+  #- name: Debian
+  #  versions:
+  #  - all
+  #  - etch
+  #  - jessie
+  #  - lenny
+  #  - sid
+  #  - squeeze
+  #  - stretch
+  #  - wheezy
+
+  galaxy_tags: [openldap]
+    # List tags for your role here, one per line. A tag is
+    # a keyword that describes and categorizes the role.
+    # Users find roles by searching for tags. Be sure to
+    # remove the '[]' above if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of
+    # alphanumeric characters. Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.

roles/ldapservertest/molecule.yml

+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+vagrant:
+  platforms:
+    - name: centos
+      box: centos/7
+    - name: fedora
+      box: fedora/25-cloud-base
+    - name: ubuntu
+      box: ubuntu/trusty64
+  providers:
+    - name: virtualbox
+      type: virtualbox
+      options:
+        memory: 512
+        cpus: 2
+  instances:
+    - name: test-role-vagrant
+      ansible_groups:
+        - group1
+  raw_config_args:
+     - "ssh.insert_key = false"
+docker:
+  containers:
+    - name: ansible-role-test-openldap-server
+      image: centos_docker
+      image_version: latest
+      cap_add: 
+        - 'SYS_ADMIN'
+      volume_mounts:
+        - '/sys/fs/cgroup:/sys/fs/cgroup:ro'
+      privileged: True
+      command: /sbin/init
+      ansible_groups:
+        - group1
+ansible:
+  verbose: vvvv
+  become: yes
+verifier:
+  name: testinfra

roles/ldapservertest/playbook.yml

+---
+- hosts: all
+  roles:
+    - role: ansible-role-openldap-test-server

roles/ldapservertest/tasks/.gitignore

+*.retry
+./.molecule/

roles/ldapservertest/tasks/main.yml

+---
+# tasks file for ansible-role-test-openldap-server
+
+ - name: Create {{temp_dir}}
+   file:
+     path={{temp_dir}}
+     state=directory
+
+ - name: Install OpenLDAP packages and necessary packages
+   package:
+    name: "{{item}}"
+    state: present
+   with_items:
+    - openldap
+    - compat-openldap
+    - openldap-clients
+    - openldap-servers
+    - openldap-devel
+   become: true
+
+ - name: Stop OpenLDAP Server
+   systemd:
+    name: slapd
+    state: stopped
+   when: clean_all 
+
+ - name: List OpenLDAP Files
+   command: "ls /var/lib/ldap"
+   register: ldap_files
+   when: clean_all 
+
+ - name: Remove OpenLDAP Data
+   file: path="/var/lib/ldap/{{item}}" state=absent force=true
+   with_items:
+    - "{{ldap_files.stdout_lines}}"
+   when: clean_all 
+   
+ - name: Start OpenLDAP Server
+   systemd:
+    name: slapd
+    state: started
+    enabled: True
+
+ - name: Get RootPW for openLDAP
+   shell: "slappasswd -s redhat"
+   register: ldap_root_rw
+
+ - name: Set RootPW as var
+   set_fact:
+    ROOT_PW: "{{ldap_root_rw.stdout}}"
+
+ - name: Copy db.ldif file to {{temp_dir}}
+   template: src="db.ldif.j2" dest={{temp_dir}}/db.ldif
+
+ - name: Modify ldap with db.ldif
+   shell: ldapmodify -Y EXTERNAL  -H ldapi:/// -f {{temp_dir}}/db.ldif
+
+ - name: Copy monitor.ldif to {{temp_dir}}
+   template: src="monitor.ldif.j2" dest={{temp_dir}}/monitor.ldif
+
+ - name: Modify ldap with monitor.ldif
+   shell: ldapmodify -Y EXTERNAL  -H ldapi:/// -f {{temp_dir}}/monitor.ldif
+
+ - name: Apply SSL
+   block:
+    - name: Copy certs.ldif to {{temp_dir}}
+      template: src="certs.ldif.j2" dest={{temp_dir}}/certs.ldif
+
+    - name: Copy Cert to /etc/openldap/certs/
+      copy: src={{ssl_cert}} dest=/etc/openldap/certs/{{ssl_cert|basename}} owner=ldap group=ldap
+
+    - name: Copy CA Cert to /etc/openldap/certs
+      copy: src={{ssl_ca_cert}} dest=/etc/openldap/certs/{{ssl_ca_cert|basename}} owner=ldap group=ldap 
+
+    - name: Copy Private key to /etc/openldap/certs
+      copy: src={{ssl_private_key}} dest=/etc/openldap/certs/{{ssl_private_key|basename}} owner=ldap group=ldap
+
+    - name: Add ldaps:// into /etc/sysconfig/slapd
+      lineinfile:
+       path: /etc/sysconfig/slapd
+       regexp: 'ldap:\/\/\/'
+       line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"'
+
+    - name: Modify ldap with certs.ldif
+      shell: ldapmodify -Y EXTERNAL  -H ldapi:/// -f {{temp_dir}}/certs.ldif
+
+    - name: Start OpenLDAP Server
+      systemd:
+       name: slapd
+       state: restarted
+   when: ssl
+   
+ - name: Test LDAP server
+   shell: slaptest -u
+   when: ssl
+
+ - name: Check if cosine/nis/inetorgperson data exist(1)
+   shell: "ldapsearch -Y EXTERNAL -H ldapi:/// -b \"cn=schema,cn=config\" |egrep '^cn(.*cosine|.*nis|.*inetorgperson)'> ldapsearch_cosine_nis_inet"
+   ignore_errors: yes
+
+ - name: Check if cosine/nis/inetorgperson data exist(2)
+   shell: "cat ldapsearch_cosine_nis_inet|wc -l"
+   register: default_data_exist
+
+ - name: Setup ldap with default example ldif files
+   copy: src=/usr/share/openldap-servers/DB_CONFIG.example dest=/var/lib/ldap/DB_CONFIG remote_src=yes 
+
+ - name: Change UID/GID of /var/lib/ldap/*
+   file:
+    path: /var/lib/ldap
+    owner: ldap
+    group: ldap
+    recurse: yes
+
+ - name: Add cosine/nis/inetoragperson ldif to ldap server
+   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{item}}
+   with_items:
+     - cosine.ldif
+     - nis.ldif
+     - inetorgperson.ldif
+   when: default_data_exist.stdout|int < 3
+
+ - name: Copy base.ldif to {{temp_dir}} > this is the default user/group data
+   copy: src=base.ldif dest="{{temp_dir}}/base.ldif"
+   
+ - name: Add the default user/group data with base.ldif 
+   shell: ldapadd -x -w redhat -D "cn=read-only-admin,dc=example,dc=com" -f {{temp_dir}}/base.ldif 
+
+ - name: Copy user-passwd.ldif to {{temp_dir}}
+   copy: src=users-passwd.ldif dest="{{temp_dir}}/users-passwd.ldif"
+
+ - name: Modify pw of users
+   shell: ldapadd -x -w redhat -D "cn=read-only-admin,dc=example,dc=com" -f {{temp_dir}}/users-passwd.ldif
+
+# - name: Firewalld add rule for ldap
+#

roles/ldapservertest/templates/certs.ldif.j2

+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/{{ssl_cert|basename}}
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/{{ssl_private_key|basename}}
+-
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/{{ssl_ca_cert|basename}}

roles/ldapservertest/templates/db.ldif.j2

+dn: olcDatabase={2}hdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=example,dc=com
+
+dn: olcDatabase={2}hdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn=read-only-admin,dc=example,dc=com
+
+dn: olcDatabase={2}hdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {{ROOT_PW}}

roles/ldapservertest/templates/monitor.ldif.j2

+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn=read-only-admin,dc=example,dc=com" read by * none

roles/ldapservertest/tests/test_default.py

+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    '.molecule/ansible_inventory').get_hosts('all')
+
+
+def test_hosts_file(File):
+    f = File('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'