computer-playbook/roles/web-app-xwiki/tasks/02_validation.yml

- name: "ASSERT | Only one auth backend (OIDC or LDAP) may be enabled"
  assert:
    that:
      - not ((XWIKI_OIDC_ENABLED | bool) and (XWIKI_LDAP_ENABLED | bool))
    fail_msg: >-
      Invalid auth configuration: both OIDC and LDAP are enabled
      (features.oidc={{ XWIKI_OIDC_ENABLED }}, features.ldap={{ XWIKI_LDAP_ENABLED }}).
      Enable only one, or disable both to use native/superadmin login.
    success_msg: "Auth config OK: OIDC={{ XWIKI_OIDC_ENABLED }}, LDAP={{ XWIKI_LDAP_ENABLED }}."