lvps · lvps · Apr 1, 2025 · Mar 29, 2025 · Mar 29, 2025 · Mar 29, 2025
diff --git a/.ansible-lint b/.ansible-lint
@@ -2,4 +2,7 @@
 skip_list:
   - '106'
   - '503'
-  - 'role-name'  # Cannot start with a number, which is unfortunate for a software named 389DS
+  - 'schema[meta]'  # Cannot start with a number, which is unfortunate for a software named 389DS
+
+exclude_paths:
+  - .github/
diff --git a/.github/workflows/galaxy.yml b/.github/workflows/galaxy.yml
@@ -1,6 +1,8 @@
 name: Notify Ansible Galaxy
 
 on:
+  release:
+    types: [published]
   workflow_dispatch:
 
 jobs:
@@ -10,5 +12,6 @@ jobs:
       - name: Notify Ansible Galaxy
         run: |
           curl -X POST https://galaxy.ansible.com/api/v2/notifications/ \
+               -H "Authorization: Bearer ${{ secrets.GALAXY_API_KEY }}" \
                -H "Content-Type: application/json" \
                -d '{"repository":"${{ github.repository }}"}'
diff --git a/.yamllint b/.yamllint
@@ -2,6 +2,12 @@
 extends: default
 
 rules:
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: false
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
   braces:
     max-spaces-inside: 1
     level: error

diff --git a/meta/main.yml b/meta/main.yml
@@ -7,7 +7,7 @@ galaxy_info:
     Installs 389DS LDAP server. Also configures TLS, logging, custom schema
     files, enable/disable plugins, DNA plugin for UID/GID, LDAPI and SASL PLAIN.
   license: Apache2
-  min_ansible_version: 2.10
+  min_ansible_version: "2.10"
 
   galaxy_tags:
     - ldap
@@ -16,9 +16,9 @@ galaxy_info:
   platforms:
     - name: EL
       versions:
-        - 7
-        - 8
-        - 9
+        - '7'
+        - '8'
+        - '9'
     - name: opensuse
     - name: SLES
 

diff --git a/molecule/backwards_compatibility/converge.yml b/molecule/backwards_compatibility/converge.yml
@@ -19,7 +19,7 @@
     # force the two tasks to not change.
     - name: Remove systemctl binary
       become: true
-      file:
+      ansible.builtin.file:
         path: /usr/bin/systemctl
         state: absent
       changed_when: false
@@ -32,7 +32,7 @@
     # still licensed under the Apache 2 license as opposed as the downloaded asset which is licensed under the EUPL.
     - name: Implant systemctl replacement
       become: true
-      uri:
+      ansible.builtin.uri:
         creates: /usr/local/bin/systemctl
         dest: /usr/bin/systemctl
         owner: root
@@ -43,7 +43,7 @@
       when: ansible_facts["nodename"] is search("SYSCTL")
 
     - name: Create dirsrv service dropin directory
-      file:
+      ansible.builtin.file:
         path: /etc/systemd/system/dirsrv@.service.d/
         owner: root
         group: root
@@ -52,7 +52,7 @@
 
     - name: Copy dirsrv service dropin config
       become: true
-      copy:
+      ansible.builtin.copy:
         src: dirsrv-dropin.conf
         dest: /etc/systemd/system/dirsrv@.service.d/custom.conf
         owner: root
@@ -65,7 +65,7 @@
 
   tasks:
     - name: Ensure we can access the server, for testing
-      ldap_entry:
+      community.general.ldap_entry:
         server_uri: "ldap://localhost"
         bind_dn: "{{ dirsrv_rootdn }}"
         bind_pw: "{{ dirsrv_rootdn_password }}"
@@ -76,7 +76,7 @@
         state: present
 
     - name: Ensure suffix entry exists
-      ldap_entry:
+      community.general.ldap_entry:
         server_uri: "ldap://localhost"
         bind_dn: "{{ dirsrv_rootdn }}"
         bind_pw: "{{ dirsrv_rootdn_password }}"
@@ -92,7 +92,7 @@
     # The purpose of that test is one of a coal-mine canary: if RH changes the dn of the certificate the tests
     # fail and we notice it, and can change the dn we check against accordingly rather than havin a silent fail.
     - name: Ensure no self-signed certificate has been created
-      shell:
+      ansible.builtin.shell:
         cmd: >
           set -o pipefail && \
             grep -rhsc 'CN=ssca.389ds.example.com,O=testing' /etc/dirsrv/slapd-{{ dirsrv_serverid }}/ | sort -r | uniq | head -n 1
@@ -102,7 +102,7 @@
       changed_when: false
 
     - name: Ensure TLS is disabled
-      ldap_attrs:
+      community.general.ldap_attrs:
         server_uri: "ldap://localhost"
         validate_certs: "{{ dirsrv_tls_certificate_trusted }}"
         start_tls: "{{ dirsrv_tls_enabled }}"

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -14,7 +14,7 @@
     # force the two tasks to not change.
     - name: Remove systemctl binary
       become: true
-      file:
+      ansible.builtin.file:
         path: /usr/bin/systemctl
         state: absent
       changed_when: false
@@ -27,40 +27,40 @@
     # still licensed under the Apache 2 license as opposed as the downloaded asset which is licensed under the EUPL.
     - name: Implant systemctl replacement
       become: true
-      uri:
+      ansible.builtin.uri:
         creates: /usr/local/bin/systemctl
         dest: /usr/bin/systemctl
         owner: root
         group: root
-        mode: u=rwx,g=rx,o=rx
+        mode: '0755'
         url: https://raw.githubusercontent.com/gdraheim/docker-systemctl-replacement/1bb5768abbf68245b7b6a8bd9d6ac4df4d78044f/files/docker/systemctl.py
       changed_when: false
       when: ansible_facts["nodename"] is search("SYSCTL")
 
     - name: Create dirsrv service dropin directory
-      file:
+      ansible.builtin.file:
         path: /etc/systemd/system/dirsrv@.service.d/
         owner: root
         group: root
-        mode: "u=rwx,g=rx,o=rx"
+        mode: '0755'
         state: directory
 
     - name: Copy dirsrv service dropin config
       become: true
-      copy:
+      ansible.builtin.copy:
         src: dirsrv-dropin.conf
         dest: /etc/systemd/system/dirsrv@.service.d/custom.conf
         owner: root
         group: root
-        mode: "u=rw,g=r,o=r"
+        mode: '0644'
         force: true
 
   roles:
     - role: lvps.389ds_server
 
   tasks:
     - name: Ensure we can access the server, for testing
-      ldap_entry:
+      community.general.ldap_entry:
         server_uri: "ldap://localhost"
         bind_dn: "{{ dirsrv_rootdn }}"
         bind_pw: "{{ dirsrv_rootdn_password }}"
@@ -71,7 +71,7 @@
         state: present
 
     - name: Ensure self-signed certificate has been created
-      shell:
+      ansible.builtin.shell:
         cmd: >
           set -o pipefail && \
             grep -rhsc 'CN=ssca.389ds.example.com,O=testing' /etc/dirsrv/slapd-{{ dirsrv_serverid }}/ | sort -r | uniq | head -n 1

diff --git a/molecule/other_features/converge.yml b/molecule/other_features/converge.yml
@@ -36,7 +36,7 @@
     # force the two tasks to not change.
     - name: Remove systemctl binary
       become: true
-      file:
+      ansible.builtin.file:
         path: /usr/bin/systemctl
         state: absent
       changed_when: false
@@ -49,40 +49,40 @@
     # still licensed under the Apache 2 license as opposed as the downloaded asset which is licensed under the EUPL.
     - name: Implant systemctl replacement
       become: true
-      uri:
+      ansible.builtin.uri:
         creates: /usr/local/bin/systemctl
         dest: /usr/bin/systemctl
         owner: root
         group: root
-        mode: u=rwx,g=rx,o=rx
+        mode: '0755'
         url: https://raw.githubusercontent.com/gdraheim/docker-systemctl-replacement/1bb5768abbf68245b7b6a8bd9d6ac4df4d78044f/files/docker/systemctl.py
       changed_when: false
       when: ansible_facts["nodename"] is search("SYSCTL")
 
     - name: Create dirsrv service dropin directory
-      file:
+      ansible.builtin.file:
         path: /etc/systemd/system/dirsrv@.service.d/
         owner: root
         group: root
-        mode: "u=rwx,g=rx,o=rx"
+        mode: '0755'
         state: directory
 
     - name: Copy dirsrv service dropin config
       become: true
-      copy:
+      ansible.builtin.copy:
         src: dirsrv-dropin.conf
         dest: /etc/systemd/system/dirsrv@.service.d/custom.conf
         owner: root
         group: root
-        mode: "u=rw,g=r,o=r"
+        mode: '0644'
         force: true
 
   roles:
     - role: lvps.389ds_server
 
   tasks:
     - name: Ensure container entries exist, for testing
-      ldap_entry:
+      community.general.ldap_entry:
         server_uri: "ldap://localhost"
         bind_dn: "cn=Directory Manager"
         bind_pw: "secret"

diff --git a/molecule/tls/converge.yml b/molecule/tls/converge.yml
@@ -22,7 +22,7 @@
     # force the two tasks to not change.
     - name: Remove systemctl binary
       become: true
-      file:
+      ansible.builtin.file:
         path: /usr/bin/systemctl
         state: absent
       changed_when: false
@@ -35,46 +35,46 @@
     # still licensed under the Apache 2 license as opposed as the downloaded asset which is licensed under the EUPL.
     - name: Implant systemctl replacement
       become: true
-      uri:
+      ansible.builtin.uri:
         creates: /usr/local/bin/systemctl
         dest: /usr/bin/systemctl
         owner: root
         group: root
-        mode: u=rwx,g=rx,o=rx
+        mode: '0755'
         url: https://raw.githubusercontent.com/gdraheim/docker-systemctl-replacement/1bb5768abbf68245b7b6a8bd9d6ac4df4d78044f/files/docker/systemctl.py
       changed_when: false
       when: ansible_facts["nodename"] is search("SYSCTL")
 
     - name: Create dirsrv service dropin directory
-      file:
+      ansible.builtin.file:
         path: /etc/systemd/system/dirsrv@.service.d/
         owner: root
         group: root
-        mode: "u=rwx,g=rx,o=rx"
+        mode: '0755'
         state: directory
 
     - name: Copy dirsrv service dropin config
       become: true
-      copy:
+      ansible.builtin.copy:
         src: dirsrv-dropin.conf
         dest: /etc/systemd/system/dirsrv@.service.d/custom.conf
         owner: root
         group: root
-        mode: "u=rw,g=r,o=r"
+        mode: '0644'
         force: true
 
     # Ansible is not secure enough for a SSF of 256 for 389DS 1.4.X
     # Unfortunately we don't yet have access to dirsrv_legacy or the installed version so we need to base the condition on the CentOS version
     - name: Set minimum SSF
-      set_fact:
+      ansible.builtin.set_fact:
         dirsrv_tls_minssf: "{%if ansible_facts['distribution_major_version'] | int == 8 %}128{% else %}256{% endif %}"
 
   roles:
     - role: lvps.389ds_server
 
   tasks:
     - name: Ensure we can access the server, for testing
-      ldap_entry:
+      community.general.ldap_entry:
         server_uri: "ldap://localhost"
         bind_dn: "{{ dirsrv_rootdn }}"
         bind_pw: "{{ dirsrv_rootdn_password }}"
@@ -84,9 +84,10 @@
         validate_certs: "{{ dirsrv_tls_certificate_trusted }}"
         state: present
 
-    - block:
+    - name: Test TLS enforcement
+      block:
         - name: Ensure TLS is enforced
-          ldap_entry:
+          community.general.ldap_entry:
             server_uri: "ldap://localhost"
             bind_dn: "{{ dirsrv_rootdn }}"
             bind_pw: "{{ dirsrv_rootdn_password }}"
@@ -98,6 +99,6 @@
 
       rescue:
         - name: Assert that task failed successfully
-          assert:
+          ansible.builtin.assert:
             that:
               - "{{ dirsrv_tls_test.details }}.info == 'Minimum SSF not met.'"
diff --git a/requirements.txt b/requirements.txt
@@ -5,4 +5,6 @@ ansible-lint
 docker==5.0.0
 molecule>=3.3.3
 molecule-plugins[docker]
+six>=1.16.0
+setuptools>=67.8.0  # For distutils
 yamllint