salt.pillar.pillar_ldap

Use LDAP data as a Pillar source

This pillar module executes a series of LDAP searches. Data returned by these searches are aggregated, whereby data returned by later searches override data by previous searches with the same key.

The final result is merged with existing pillar data.

The configuration of this external pillar module is done via an external file which provides the actual configuration for the LDAP searches.

Configuring the LDAP ext_pillar

The basic configuration is part of the master configuration.

ext_pillar:
  - pillar_ldap: /etc/salt/master.d/pillar_ldap.yaml

Note

When placing the file in the master.d directory, make sure its name doesn't end in .conf, otherwise the salt-master process will attempt to parse its content.

Warning

Make sure this file has very restrictive permissions, as it will contain possibly sensitive LDAP credentials!

The only required key in the master configuration is pillar_ldap pointing to a file containing the actual configuration.

Configuring the LDAP searches

The file is processed using Salt's Renderers <renderers> which makes it possible to reference grains within the configuration.

Warning

When using Jinja in this file, make sure to do it in a way which prevents leaking sensitive information. A rogue minion could send arbitrary grains to trick the master into returning secret data. Use only the 'id' grain which is verified through the minion's key/cert.

Map Mode

The it-admins configuration below returns the Pillar it-admins by:

  • filtering for: - members of the group it-admins - objects with objectclass=user

  • returning the data of users, where each user is a dictionary containing the configured string or list attributes.

Configuration
salt-users:
  server:    ldap.company.tld
  port:      389
  tls:       true
  dn:        'dc=company,dc=tld'
  binddn:    'cn=salt-pillars,ou=users,dc=company,dc=tld'
  bindpw:    bi7ieBai5Ano
  referrals: false
  anonymous: false
  mode:      map
  dn:        'ou=users,dc=company,dc=tld'
  filter:    '(&(memberof=cn=it-admins,ou=groups,dc=company,dc=tld)(objectclass=user))'
  attrs:
    - cn
    - displayName
    - givenName
    - sn
  lists:
    - memberOf

search_order:
  - salt-users
Result
{
    'salt-users': [
        {
            'cn': 'cn=johndoe,ou=users,dc=company,dc=tld',
            'displayName': 'John Doe'
            'givenName': 'John'
            'sn': 'Doe'
            'memberOf': [
              'cn=it-admins,ou=groups,dc=company,dc=tld',
              'cn=team01,ou=groups,dc=company'
            ]
        },
        {
            'cn': 'cn=janedoe,ou=users,dc=company,dc=tld',
            'displayName': 'Jane Doe',
            'givenName': 'Jane',
            'sn': 'Doe',
            'memberOf': [
              'cn=it-admins,ou=groups,dc=company,dc=tld',
              'cn=team02,ou=groups,dc=company'
            ]
        }
    ]
}
salt.pillar.pillar_ldap.ext_pillar(minion_id, pillar, config_file)

Execute LDAP searches and return the aggregated data