Use LDAP data as a Pillar source
This pillar module executes a series of LDAP searches. Data returned by these searches are aggregated, whereby data returned by later searches override data by previous searches with the same key.
The final result is merged with existing pillar data.
The configuration of this external pillar module is done via an external file which provides the actual configuration for the LDAP searches.
The basic configuration is part of the master configuration.
ext_pillar:
- pillar_ldap: /etc/salt/master.d/pillar_ldap.yaml
Note
When placing the file in the master.d
directory, make sure its name
doesn't end in .conf
, otherwise the salt-master process will attempt
to parse its content.
Warning
Make sure this file has very restrictive permissions, as it will contain possibly sensitive LDAP credentials!
The only required key in the master configuration is pillar_ldap
pointing
to a file containing the actual configuration.
The file is processed using Salt's Renderers <renderers> which makes it possible to reference grains within the configuration.
Warning
When using Jinja in this file, make sure to do it in a way which prevents leaking sensitive information. A rogue minion could send arbitrary grains to trick the master into returning secret data. Use only the 'id' grain which is verified through the minion's key/cert.
The it-admins
configuration below returns the Pillar it-admins
by:
it-admins
objectclass=user
returning the data of users (mode: map
), where each user is a dictionary
containing the configured string or list attributes.
Configuration:
salt-users:
server: ldap.company.tld
port: 389
tls: true
dn: 'dc=company,dc=tld
binddn: 'cn=salt-pillars,ou=users,dc=company,dc=tld'
bindpw: bi7ieBai5Ano
referrals: false
anonymous: false
mode: map
dn: 'ou=users,dc=company,dc=tld'
filter: '(&(memberof=cn=it-admins,ou=groups,dc=company,dc=tld)(objectclass=user))'
attrs:
- cn
- displayName
- givenName
- sn
lists:
- memberOf
**Result:**
salt-users:
- cn: cn=johndoe,ou=users,dc=company,dc=tld
displayName: John Doe
givenName: John
sn: Doe
memberOf:
- cn=it-admins,ou=groups,dc=company,dc=tld
- cn=team01,ou=groups,dc=company
- cn: cn=janedoe,ou=users,dc=company,dc=tld
displayName: Jane Doe
givenName: Jane
sn: Doe
memberOf:
- cn=it-admins,ou=groups,dc=company,dc=tld
- cn=team02,ou=groups,dc=company