Creates LDAP system users (used by service to connect to LDAP, to access LDAP service and search for application users)

Command

ldap-sysaccounts role is called in context of a particular <service> to establish LDAP system user which is later on used to connect to LDAP

athena-services <service>

Infrastructure requirements

Preconditions

athena-infrastructure backoffice

Service Requirements

Preconditions

athena-services freeipa

Parameters

• ldap_user - LDAP system user name (for example: gateway.ldap)

Secrets

Please see platform secrets for more details.

• passwords/users/<owner>-<env>-<ldap_user> - <ldap_user> password (for example ~/git/athena/ansible-data-nft/passwords/users/athena-nft-gateway.ldap)

Example

In Backoffice host play before installing gateway:

    - 
      role: ldap-sysaccount
      ldap_user: "{{gateway_ldap_user}}"
      tags: 
        - gateway

Testing conenctivity

Substitute <service>, <owner>, <environment> and <route53domain> as necessary.

In Athena client console:

PASS=$(cat $ANSIBLE_DATA/passwords/users/<owner>-<environment>-<service>.ldap) && ldapsearch -h ldap.service.consul -p 20389 -c -x -D "uid=<service>.ldap,cn=sysaccounts,cn=etc,dc=<route53domain1>,dc=<route53domain2>" -w "$PASS" -b "cn=users,cn=accounts,dc=<route53domain1>,dc=<route53domain2>" -o ldif-wrap=512

For example:

PASS=$(cat $ANSIBLE_DATA/passwords/users/athena-nft-gateway.ldap) && ldapsearch -h ldap.service.consul -p 20389 -c -x -D "uid=gateway.ldap,cn=sysaccounts,cn=etc,dc=athenapaas,dc=com" -w "$PASS" -b "cn=users,cn=accounts,dc=athenapaas,dc=com" -o ldif-wrap=512