salt.pillar.pillar_ldap

Use LDAP data as a Pillar source

This pillar module executes a series of LDAP searches. Data returned by these searches are aggregated, whereby data returned by later searches override data by previous searches with the same key.

The final result is merged with existing pillar data.

The configuration of this external pillar module is done via an external file which provides the actual configuration for the LDAP searches.

Configuring the LDAP ext_pillar

The basic configuration is part of the master configuration.

ext_pillar:
  - pillar_ldap: /etc/salt/master.d/pillar_ldap.yaml

Note

When placing the file in the master.d directory, make sure its name doesn't end in .conf, otherwise the salt-master process will attempt to parse its content.

Warning

Make sure this file has very restrictive permissions, as it will contain possibly sensitive LDAP credentials!

The only required key in the master configuration is pillar_ldap pointing to a file containing the actual configuration.

Configuring the LDAP searches

The file is processed using Salt's Renderers <renderers> which makes it possible to reference grains within the configuration.

Warning

When using Jinja in this file, make sure to do it in a way which prevents leaking sensitive information. A rogue minion could send arbitrary grains to trick the master into returning secret data. Use only the 'id' grain which is verified through the minion's key/cert.

Map Mode

The it-admins configuration below returns the Pillar it-admins by:

  • filtering for:
    • members of the group it-admins
    • objects with objectclass=user
  • returning the data of users (mode: map), where each user is a dictionary containing the configured string or list attributes.

    Configuration:

  salt-users:
      server:    ldap.company.tld
      port:      389
      tls:       true
      dn:        'dc=company,dc=tld
      binddn:    'cn=salt-pillars,ou=users,dc=company,dc=tld'
      bindpw:    bi7ieBai5Ano
      referrals: false
      anonymous: false
      mode:      map
      dn:        'ou=users,dc=company,dc=tld'
      filter:    '(&(memberof=cn=it-admins,ou=groups,dc=company,dc=tld)(objectclass=user))'
      attrs:
          - cn
          - displayName
          - givenName
          - sn
      lists:
          - memberOf

**Result:**
salt-users:
    - cn: cn=johndoe,ou=users,dc=company,dc=tld
      displayName: John Doe
      givenName:   John
      sn:          Doe
      memberOf:
          - cn=it-admins,ou=groups,dc=company,dc=tld
          - cn=team01,ou=groups,dc=company
    - cn: cn=janedoe,ou=users,dc=company,dc=tld
      displayName: Jane Doe
      givenName:   Jane
      sn:          Doe
      memberOf:
          - cn=it-admins,ou=groups,dc=company,dc=tld
          - cn=team02,ou=groups,dc=company

List Mode

TODO: see also _result_to_dict() documentation

salt.pillar.pillar_ldap.ext_pillar(minion_id, pillar, config_file)

Execute LDAP searches and return the aggregated data