salt.states.ldap
Manage entries in an LDAP database
New in version 2016.3.0.
The states.ldap
state module allows you to manage LDAP entries and their attributes.
-
Ensure the existence (or not) of LDAP entries and their attributes
Example:
ldapi:///: ldap.managed: - connect_spec: bind: method: sasl - entries: # make sure the entry doesn't exist - cn=foo,ou=users,dc=example,dc=com: - delete_others: True # make sure the entry exists with only the specified # attribute values - cn=admin,dc=example,dc=com: - delete_others: True - replace: cn: - admin description: - LDAP administrator objectClass: - simpleSecurityObject - organizationalRole userPassword: - {{pillar.ldap_admin_password}} # make sure the entry exists, its olcRootDN attribute # has only the specified value, the olcRootDN attribute # doesn't exist, and all other attributes are ignored - 'olcDatabase={1}hdb,cn=config': - replace: olcRootDN: - cn=admin,dc=example,dc=com # the admin entry has its own password attribute olcRootPW: [] # note the use of 'default'. also note how you don't # have to use list syntax if there is only one attribute # value - cn=foo,ou=users,dc=example,dc=com: - delete_others: True - default: userPassword: changeme shadowLastChange: 0 # keep sshPublicKey if present, but don't create # the attribute if it is missing sshPublicKey: [] - replace: cn: foo uid: foo uidNumber: 1000 gidNumber: 1000 gecos: Foo Bar givenName: Foo sn: Bar homeDirectory: /home/foo loginShell: /bin/bash objectClass: - inetOrgPerson - posixAccount - top - ldapPublicKey - shadowAccount
- Parameters
-
name -- The URL of the LDAP server. This is ignored if
connect_spec
is either a connection object or a dict with a'url'
entry.-
entries --
A description of the desired state of zero or more LDAP entries.
entries
is an iterable of dicts. Each of these dict's keys are the distinguished names (DNs) of LDAP entries to manage. Each of these dicts is processed in order. A later dict can reference an LDAP entry that was already mentioned in an earlier dict, which makes it possible for later dicts to enhance or alter the desired state of an LDAP entry.The DNs are mapped to a description of the LDAP entry's desired state. These LDAP entry descriptions are themselves iterables of dicts. Each dict in the iterable is processed in order. They contain directives controlling the entry's state. The key names the directive type and the value is state information for the directive. The specific structure of the state information depends on the directive type.
The structure of
entries
looks like this:[{dn1: [{directive1: directive1_state, directive2: directive2_state}, {directive3: directive3_state}], dn2: [{directive4: directive4_state, directive5: directive5_state}]}, {dn3: [{directive6: directive6_state}]}]
These are the directives:
-
'delete_others'
-
Boolean indicating whether to delete attributes not mentioned in this dict or any of the other directive dicts for this DN. Defaults to
False
.If you don't want to delete an attribute if present, but you also don't want to add it if it is missing or modify it if it is present, you can use either the
'default'
directive or the'add'
directive with an empty value list.
-
'default'
-
A dict mapping an attribute name to an iterable of default values for that attribute. If the attribute already exists, it is left alone. If not, it is created using the given list of values.
An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the
'delete_others'
key isTrue
.
-
'add'
-
Attribute values to add to the entry. This is a dict mapping an attribute name to an iterable of values to add.
An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the
'delete_others'
key isTrue
.
-
'delete'
-
Attribute values to remove from the entry. This is a dict mapping an attribute name to an iterable of values to delete from the attribute. If the iterable is empty, all of the attribute's values are deleted.
-
'replace'
-
Attributes to replace. This is a dict mapping an attribute name to an iterable of values. Any existing values for the attribute are deleted, then the given values are added. The iterable may be empty.
In the above directives, the iterables of attribute values may instead be
None
, in which case an empty list is used, or a scalar such as a string or number, in which case a new list containing the scalar is used.Note that if all attribute values are removed from an entry, the entire entry is deleted.
-
connect_spec -- See the description of the
connect_spec
parameter of theldap3.connect
function in theldap3
execution module. If this is a dict and the'url'
entry is not specified, the'url'
entry is set to the value of thename
parameter.
- Returns
-
A dict with the following keys:
-
'name'
-
This is the same object passed to the
name
parameter.
-
'changes'
-
This is a dict describing the changes made (or, in test mode, the changes that would have been attempted). If no changes were made (or no changes would have been attempted), then this dict is empty. Only successful changes are included.
Each key is a DN of an entry that was changed (or would have been changed). Entries that were not changed (or would not have been changed) are not included. The value is a dict with two keys:
-
'old'
-
The state of the entry before modification. If the entry did not previously exist, this key maps to
None
. Otherwise, the value is a dict mapping each of the old entry's attributes to a list of its values before any modifications were made. Unchanged attributes are excluded from this dict.
-
'new'
-
The state of the entry after modification. If the entry was deleted, this key maps to
None
. Otherwise, the value is a dict mapping each of the entry's attributes to a list of its values after the modifications were made. Unchanged attributes are excluded from this dict.
Example
'changes'
dict where a new entry was created with a single attribute containing two values:{'dn1': {'old': None, 'new': {'attr1': ['val1', 'val2']}}}
Example
'changes'
dict where a new attribute was added to an existing entry:{'dn1': {'old': {}, 'new': {'attr2': ['val3']}}}
-
-
'result'
-
One of the following values:
True
if no changes were necessary or if all changes were applied successfully.False
if at least one change was unable to be applied.None
if changes would be applied but it is in test mode.
-
salt.states.ldap.managed(name, entries, connect_spec=None)
© 2021 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.ldap.html