The purpose of this playbook is to validate the accuracy of some of the LDAP properties provided in a sitedefault.yml file. Running this playbook will try to connect to the LDAP server and fetch some of the attributes of Users and Groups.
Important: The tests performed here are necessary but not exhaustive. That is, you need to at least pass all the tests in this playbook, but that is still not a full guarantee of success, since the playbook is not yet able to check every single parameter for accuracy.
- Inventory file
- A sample inventory file called
ldaphelper.inventory.iniis provided with the playbook - If you already know which server will host the SAS Viya Core Services, update the provided inventory accordingly, so that this server is the one running the SAS Viya LDAP Validator tests
- If the future SAS Viya server is not yet available, you can use the default inventory as-is, in which case the tests will be executed from the Ansible Controller itself.
- A sample inventory file called
- Sitedefault file
- Two sample sitedefault files are included:
sitedefault_sample_ad.ymlandsitedefault_sample_openldap.yml - You should provide your own customized sitedefault file. You can do so in 2 ways:
- Update the line
sitedefault_loc: ./sitedefault_sample.ymlin theviyaldapvalidator.ymlplaybook - At the prompt, with an ansible override:
ansible-playbook viyaldapvalidator.yml -e 'sitedefault_loc=./sitedefault.yml'
- Update the line
- Two sample sitedefault files are included:
-
Go to the same directory as the playbook:
cd ~ git clone https://github.com/sassoftware/viya-ark.git cd viya-ark/playbooks/ldap-validator/
-
Update the Inventory and
sitedefault_locvariable, as mentioned above. -
Execute the playbook:
cd viya-ark/playbooks/ldap-validator/ ansible-playbook viyaldapvalidator.yml
The SAS Viya LDAP Validator Playbook will try to validate access to your LDAP in the following ways:
- try to connect to the Ldap server using provided hostname and port
- fetch users[5 users] attributes
- fetch group[5 users] attributes
- fetch the attributes of admin user provided in the
sitedefault.ymlfile.
Set anonymousBind to 'true' in the sitedefault.yaml file only if you know that the LDAP server allows anonymous access. You must also set the User DN and password to empty strings to validate connection to the LDAP server.
Otherwise, set the anonymousBind to 'false' and set the correct User DN and password values. With the correct credentials, the tool will successfully validate the connection to the LDAP server.
If all tasks come back OK (green), it means that all the tests passed. If any test fails, an error message should indicate the reason for the failure.
This is a list of future checks that should be added to this playbook:
- verify that all provided field overrides exist in target LDAP
- confirm that SSSD or similar has been configured and that there are matching users
- support passing certificates for the connection to LDAP
Copyright (c) 2019-2021, SAS Institute Inc., Cary, NC, USA. All Rights Reserved. SPDX-License-Identifier: Apache-2.0