| Dir : /proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/pillar/ |
| Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
| Dir : //proc/self/root/opt/saltstack/salt/lib/python3.10/site-packages/salt/pillar/pillar_ldap.py |
"""
Use LDAP data as a Pillar source
This pillar module executes a series of LDAP searches.
Data returned by these searches are aggregated, whereby data returned by later
searches override data by previous searches with the same key.
The final result is merged with existing pillar data.
The configuration of this external pillar module is done via an external
file which provides the actual configuration for the LDAP searches.
===============================
Configuring the LDAP ext_pillar
===============================
The basic configuration is part of the `master configuration
<master-configuration-ext-pillar>`_.
.. code-block:: yaml
ext_pillar:
- pillar_ldap: /etc/salt/master.d/pillar_ldap.yaml
.. note::
When placing the file in the ``master.d`` directory, make sure its name
doesn't end in ``.conf``, otherwise the salt-master process will attempt
to parse its content.
.. warning::
Make sure this file has very restrictive permissions, as it will contain
possibly sensitive LDAP credentials!
The only required key in the master configuration is ``pillar_ldap`` pointing
to a file containing the actual configuration.
Configuring the LDAP searches
=============================
The file is processed using `Salt's Renderers <renderers>` which makes it
possible to reference grains within the configuration.
.. warning::
When using Jinja in this file, make sure to do it in a way which prevents
leaking sensitive information. A rogue minion could send arbitrary grains
to trick the master into returning secret data.
Use only the 'id' grain which is verified through the minion's key/cert.
Map Mode
--------
The ``it-admins`` configuration below returns the Pillar ``it-admins`` by:
- filtering for:
- members of the group ``it-admins``
- objects with ``objectclass=user``
- returning the data of users, where each user is a dictionary containing the
configured string or list attributes.
Configuration
*************
.. code-block:: yaml
salt-users:
server: ldap.company.tld
port: 389
tls: true
dn: 'dc=company,dc=tld'
binddn: 'cn=salt-pillars,ou=users,dc=company,dc=tld'
bindpw: bi7ieBai5Ano
referrals: false
anonymous: false
mode: map
dn: 'ou=users,dc=company,dc=tld'
filter: '(&(memberof=cn=it-admins,ou=groups,dc=company,dc=tld)(objectclass=user))'
attrs:
- cn
- displayName
- givenName
- sn
lists:
- memberOf
search_order:
- salt-users
Result
******
.. code-block:: python
{
'salt-users': [
{
'cn': 'cn=johndoe,ou=users,dc=company,dc=tld',
'displayName': 'John Doe'
'givenName': 'John'
'sn': 'Doe'
'memberOf': [
'cn=it-admins,ou=groups,dc=company,dc=tld',
'cn=team01,ou=groups,dc=company'
]
},
{
'cn': 'cn=janedoe,ou=users,dc=company,dc=tld',
'displayName': 'Jane Doe',
'givenName': 'Jane',
'sn': 'Doe',
'memberOf': [
'cn=it-admins,ou=groups,dc=company,dc=tld',
'cn=team02,ou=groups,dc=company'
]
}
]
}
"""
import logging
import os
import jinja2
import salt.utils.data
from salt.exceptions import SaltInvocationError
try:
import ldap # pylint: disable=W0611
HAS_LDAP = True
except ImportError:
HAS_LDAP = False
# Set up logging
log = logging.getLogger(__name__)
def __virtual__():
"""
Only return if ldap module is installed
"""
if HAS_LDAP:
return "pillar_ldap"
else:
return False
def _render_template(config_file):
"""
Render config template, substituting grains where found.
"""
dirname, filename = os.path.split(config_file)
env = jinja2.Environment(loader=jinja2.FileSystemLoader(dirname))
template = env.get_template(filename)
return template.render(__grains__)
def _config(name, conf, default=None):
"""
Return a value for 'name' from the config file options. If the 'name' is
not in the config, the 'default' value is returned. This method converts
unicode values to str type under python 2.
"""
try:
value = conf[name]
except KeyError:
value = default
return salt.utils.data.decode(value, to_str=True)
def _result_to_dict(data, result, conf, source):
"""
Aggregates LDAP search result based on rules, returns a dictionary.
Rules:
Attributes tagged in the pillar config as 'attrs' or 'lists' are
scanned for a 'key=value' format (non matching entries are ignored.
Entries matching the 'attrs' tag overwrite previous values where
the key matches a previous result.
Entries matching the 'lists' tag are appended to list of values where
the key matches a previous result.
All Matching entries are then written directly to the pillar data
dictionary as data[key] = value.
For example, search result:
{ saltKeyValue': ['ntpserver=ntp.acme.local', 'foo=myfoo'],
'saltList': ['vhost=www.acme.net', 'vhost=www.acme.local'] }
is written to the pillar data dictionary as:
{ 'ntpserver': 'ntp.acme.local', 'foo': 'myfoo',
'vhost': ['www.acme.net', 'www.acme.local'] }
"""
attrs = _config("attrs", conf) or []
lists = _config("lists", conf) or []
dict_key_attr = _config("dict_key_attr", conf) or "dn"
# TODO:
# deprecate the default 'mode: split' and make the more
# straightforward 'mode: map' the new default
mode = _config("mode", conf) or "split"
if mode == "map":
data[source] = []
for record in result:
ret = {}
if "dn" in attrs or "distinguishedName" in attrs:
log.debug("dn: %s", record[0])
ret["dn"] = record[0]
record = record[1]
log.debug("record: %s", record)
for key in record:
if key in attrs:
for item in record.get(key):
ret[key] = item
if key in lists:
ret[key] = record.get(key)
data[source].append(ret)
elif mode == "dict":
data[source] = {}
for record in result:
ret = {}
distinguished_name = record[0]
log.debug("dn: %s", distinguished_name)
if "dn" in attrs or "distinguishedName" in attrs:
ret["dn"] = distinguished_name
record = record[1]
log.debug("record: %s", record)
for key in record:
if key in attrs:
for item in record.get(key):
ret[key] = item
if key in lists:
ret[key] = record.get(key)
if dict_key_attr in ["dn", "distinguishedName"]:
dict_key = distinguished_name
else:
dict_key = ",".join(sorted(record.get(dict_key_attr, [])))
try:
data[source][dict_key].append(ret)
except KeyError:
data[source][dict_key] = [ret]
elif mode == "split":
for key in result[0][1]:
if key in attrs:
for item in result.get(key):
skey, sval = item.split("=", 1)
data[skey] = sval
elif key in lists:
for item in result.get(key):
if "=" in item:
skey, sval = item.split("=", 1)
if skey not in data:
data[skey] = [sval]
else:
data[skey].append(sval)
return data
def _do_search(conf):
"""
Builds connection and search arguments, performs the LDAP search and
formats the results as a dictionary appropriate for pillar use.
"""
# Build LDAP connection args
connargs = {}
for name in ["server", "port", "tls", "binddn", "bindpw", "anonymous"]:
connargs[name] = _config(name, conf)
if connargs["binddn"] and connargs["bindpw"]:
connargs["anonymous"] = False
# Build search args
try:
_filter = conf["filter"]
except KeyError:
raise SaltInvocationError("missing filter")
_dn = _config("dn", conf)
scope = _config("scope", conf)
_lists = _config("lists", conf) or []
_attrs = _config("attrs", conf) or []
_dict_key_attr = _config("dict_key_attr", conf, "dn")
attrs = _lists + _attrs + [_dict_key_attr]
if not attrs:
attrs = None
# Perform the search
try:
result = __salt__["ldap.search"](_filter, _dn, scope, attrs, **connargs)[
"results"
]
except IndexError: # we got no results for this search
log.debug("LDAP search returned no results for filter %s", _filter)
result = {}
except Exception: # pylint: disable=broad-except
log.critical("Failed to retrieve pillar data from LDAP:\n", exc_info=True)
return {}
return result
def ext_pillar(
minion_id, pillar, config_file # pylint: disable=W0613 # pylint: disable=W0613
):
"""
Execute LDAP searches and return the aggregated data
"""
config_template = None
try:
config_template = _render_template(config_file)
except jinja2.exceptions.TemplateNotFound:
log.debug("pillar_ldap: missing configuration file %s", config_file)
except Exception: # pylint: disable=broad-except
log.debug(
"pillar_ldap: failed to render template for %s", config_file, exc_info=True
)
if not config_template:
# We don't have a config file
return {}
import salt.utils.yaml
try:
opts = salt.utils.yaml.safe_load(config_template) or {}
opts["conf_file"] = config_file
except Exception as err: # pylint: disable=broad-except
log.warning(
"pillar_ldap: error parsing configuration file: %s - %s", config_file, err
)
return {}
else:
if not isinstance(opts, dict):
log.warning(
"pillar_ldap: %s is invalidly formatted, must be a YAML "
"dictionary. See the documentation for more information.",
config_file,
)
return {}
if "search_order" not in opts:
log.warning(
"pillar_ldap: search_order missing from configuration. See the "
"documentation for more information."
)
return {}
data = {}
for source in opts["search_order"]:
config = opts[source]
result = _do_search(config)
log.debug("source %s got result %s", source, result)
if result:
data = _result_to_dict(data, result, config, source)
return data