One of the most important things you face when working with technical problems remotely without the possibility of touching real environments with your hands is reproducing similar scenarios to test and troubleshoot. While numerous solutions exist, the need for a flexible and easy-to-deploy setup led me to create a pair of Ansible roles designed specifically for bringing up LDAP and SAML environments using Podman containers. This blog post outlines the approach taken and the outcomes observed.
Project Overview
The principal aim was to facilitate a straightforward setup of LDAP and SAML test environments, in my case, suited for use with the Ansible Automation Platform. The roles developed are not intended for production; instead, they serve as a tool for testing and troubleshooting authentication scenarios.
You can check the code in my Github repository here
Prerequisites
Before diving into the specifics of implementation, the following tools and collections were required:
- The
ansible.controllercollection (version 4.5.X for Controller 2.4; 4.6.X support for Gateway 2.5 is pending) - The
containers.podmancollection - Podman must be installed
- Access to an instance of Ansible Automation Platform
The containerized environments rely on the following images:
- LDAP:
docker.io/osixia/openldap:1.5.0 - SAML:
docker.io/kenchan0130/simplesamlphp
Installation and Configuration
The roles feature a set of default configurations, which can be tailored to your environment needs. Below are the default parameters for LDAP:
1
2
3
4
5
6
7
8
9
10
11
ldap_image: docker.io/osixia/openldap:1.5.0
ldap_container_name: testldap
ldap_ports:
- "389:389"
- "636:636"
ldap_org: "Example Inc."
ldap_domain: "example.org"
ldap_admin_password: "admin"
ldap_bootstrap_ldif: "bootstrap.ldif"
container_bootstrap_ldif: "/ldif/50-bootstrap.ldif"
ldap_server: "ldap://10.0.0.101:389"
- ldap_server is the podman host serving the ldap container
Adjustments will be necessary for ldap_server to match your hosting settings. Similar configuration steps apply for the SAML container:
1
2
idp_host: "http://10.0.0.101:8080"
entity_url: "https://192.168.122.82/sso/complete/saml/"
- idp_host is the address of the host serving the podman containers
- entity_url is the address of your Ansible Automation Platform (Controller or Gateway, depending on your version)
You can invoke these roles using an Ansible playbook similar to this one:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
---
- name: Run OpenLDAP container with Podman
hosts: localhost
become: true
vars:
ldap_image: docker.io/osixia/openldap:1.5.0
ldap_container_name: testldap
ldap_ports:
- "389:389"
- "636:636"
ldap_org: "Example Inc."
ldap_domain: "example.org"
ldap_admin_password: "admin"
ldap_bootstrap_ldif: "bootstrap.ldif"
container_bootstrap_ldif: "/ldif/50-bootstrap.ldif"
ldap_server: "ldap://10.0.0.101:389"
tasks:
- name: Bring up LDAP container and configure the Ansible Controller to use it
ansible.builtin.include_role:
name: ldap
- name: Bring up SAML container and configure the Ansible Controller to use it
ansible.builtin.include_role:
name: saml
vars:
idp_host: "http://10.0.0.101:8080"
entity_url: "https://192.168.122.82/sso/complete/saml/"
Use ansible-playbook or ansible-navigator to execute the playbook:
1
ansible-playbook main.yml
Testing and Validation
Post-deployment, four users are set up across the LDAP and SAML environments for credential testing:
| username | type | password |
|---|---|---|
| user1 | saml | user1pass |
| user2 | saml | user2pass |
| user3 | ldap | user3pass |
| user4 | ldap | user4pass |
By logging into your Ansible Automation Platform with these credentials, you can validate the effectiveness of the setup. For any troubleshooting, enabling ‘DEBUG’ in the Ansible Automation Platform logger settings and checking /var/log/tower/tower.log will offer insights into configuration operations.
Conclusion
The methods and configurations outlined achieve a flexible, temporary setup for authentication testing with LDAP and SAML using Ansible Automation Platform. While further refinement is anticipated, including support for Ansible Automation Gateway 2.5, current implementations offer a scalable solution for development and troubleshooting environments.