W3cubDocs

/SaltStack

salt.states.ldap

Manage entries in an LDAP database

New in version 2016.3.0.

The states.ldap state module allows you to manage LDAP entries and their attributes.

salt.states.ldap.managed(name, entries, connect_spec=None)

Ensure the existence (or not) of LDAP entries and their attributes

Example:

ldapi:///:
  ldap.managed:
    - connect_spec:
        bind:
          method: sasl

    - entries:

      # make sure the entry doesn't exist
      - cn=foo,ou=users,dc=example,dc=com:
        - delete_others: True

      # make sure the entry exists with only the specified
      # attribute values
      - cn=admin,dc=example,dc=com:
        - delete_others: True
        - replace:
            cn:
              - admin
            description:
              - LDAP administrator
            objectClass:
              - simpleSecurityObject
              - organizationalRole
            userPassword:
              - {{pillar.ldap_admin_password}}

      # make sure the entry exists, its olcRootDN attribute
      # has only the specified value, the olcRootDN attribute
      # doesn't exist, and all other attributes are ignored
      - 'olcDatabase={1}hdb,cn=config':
        - replace:
            olcRootDN:
              - cn=admin,dc=example,dc=com
            # the admin entry has its own password attribute
            olcRootPW: []

      # note the use of 'default'.  also note how you don't
      # have to use list syntax if there is only one attribute
      # value
      - cn=foo,ou=users,dc=example,dc=com:
        - delete_others: True
        - default:
            userPassword: changeme
            shadowLastChange: 0
            # keep sshPublicKey if present, but don't create
            # the attribute if it is missing
            sshPublicKey: []
        - replace:
            cn: foo
            uid: foo
            uidNumber: 1000
            gidNumber: 1000
            gecos: Foo Bar
            givenName: Foo
            sn: Bar
            homeDirectory: /home/foo
            loginShell: /bin/bash
            objectClass:
              - inetOrgPerson
              - posixAccount
              - top
              - ldapPublicKey
              - shadowAccount

Parameters:

Parameters:	name -- The URL of the LDAP server. This is ignored if `connect_spec` is either a connection object or a dict with a `'url'` entry. entries -- A description of the desired state of zero or more LDAP entries. `entries` is an iterable of dicts. Each of these dict's keys are the distinguished names (DNs) of LDAP entries to manage. Each of these dicts is processed in order. A later dict can reference an LDAP entry that was already mentioned in an earlier dict, which makes it possible for later dicts to enhance or alter the desired state of an LDAP entry. The DNs are mapped to a description of the LDAP entry's desired state. These LDAP entry descriptions are themselves iterables of dicts. Each dict in the iterable is processed in order. They contain directives controlling the entry's state. The key names the directive type and the value is state information for the directive. The specific structure of the state information depends on the directive type. The structure of `entries` looks like this: [{dn1: [{directive1: directive1_state, directive2: directive2_state}, {directive3: directive3_state}], dn2: [{directive4: directive4_state, directive5: directive5_state}]}, {dn3: [{directive6: directive6_state}]}] These are the directives: `'delete_others'` Boolean indicating whether to delete attributes not mentioned in this dict or any of the other directive dicts for this DN. Defaults to `False`. If you don't want to delete an attribute if present, but you also don't want to add it if it is missing or modify it if it is present, you can use either the `'default'` directive or the `'add'` directive with an empty value list. `'default'` A dict mapping an attribute name to an iterable of default values for that attribute. If the attribute already exists, it is left alone. If not, it is created using the given list of values. An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the `'delete_others'` key is `True`. `'add'` Attribute values to add to the entry. This is a dict mapping an attribute name to an iterable of values to add. An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the `'delete_others'` key is `True`. `'delete'` Attribute values to remove from the entry. This is a dict mapping an attribute name to an iterable of values to delete from the attribute. If the iterable is empty, all of the attribute's values are deleted. `'replace'` Attributes to replace. This is a dict mapping an attribute name to an iterable of values. Any existing values for the attribute are deleted, then the given values are added. The iterable may be empty. In the above directives, the iterables of attribute values may instead be `None`, in which case an empty list is used, or a scalar such as a string or number, in which case a new list containing the scalar is used. Note that if all attribute values are removed from an entry, the entire entry is deleted. connect_spec -- See the description of the `connect_spec` parameter of the `ldap3.connect` function in the `ldap3` execution module. If this is a dict and the `'url'` entry is not specified, the `'url'` entry is set to the value of the `name` parameter.
Returns:	A dict with the following keys: `'name'` This is the same object passed to the `name` parameter. `'changes'` This is a dict describing the changes made (or, in test mode, the changes that would have been attempted). If no changes were made (or no changes would have been attempted), then this dict is empty. Only successful changes are included. Each key is a DN of an entry that was changed (or would have been changed). Entries that were not changed (or would not have been changed) are not included. The value is a dict with two keys: `'old'` The state of the entry before modification. If the entry did not previously exist, this key maps to `None`. Otherwise, the value is a dict mapping each of the old entry's attributes to a list of its values before any modifications were made. Unchanged attributes are excluded from this dict. `'new'` The state of the entry after modification. If the entry was deleted, this key maps to `None`. Otherwise, the value is a dict mapping each of the entry's attributes to a list of its values after the modifications were made. Unchanged attributes are excluded from this dict. Example `'changes'` dict where a new entry was created with a single attribute containing two values: {'dn1': {'old': None, 'new': {'attr1': ['val1', 'val2']}}} Example `'changes'` dict where a new attribute was added to an existing entry: {'dn1': {'old': {}, 'new': {'attr2': ['val3']}}} `'result'` One of the following values: `True` if no changes were necessary or if all changes were applied successfully. `False` if at least one change was unable to be applied. `None` if changes would be applied but it is in test mode.

name -- The URL of the LDAP server. This is ignored if connect_spec is either a connection object or a dict with a 'url' entry.
entries --
A description of the desired state of zero or more LDAP entries.

entries is an iterable of dicts. Each of these dict's keys are the distinguished names (DNs) of LDAP entries to manage. Each of these dicts is processed in order. A later dict can reference an LDAP entry that was already mentioned in an earlier dict, which makes it possible for later dicts to enhance or alter the desired state of an LDAP entry.

The DNs are mapped to a description of the LDAP entry's desired state. These LDAP entry descriptions are themselves iterables of dicts. Each dict in the iterable is processed in order. They contain directives controlling the entry's state. The key names the directive type and the value is state information for the directive. The specific structure of the state information depends on the directive type.

The structure of entries looks like this:
```
[{dn1: [{directive1: directive1_state,
         directive2: directive2_state},
        {directive3: directive3_state}],
  dn2: [{directive4: directive4_state,
         directive5: directive5_state}]},
 {dn3: [{directive6: directive6_state}]}]
```
These are the directives:
- 'delete_others'
  
  Boolean indicating whether to delete attributes not mentioned in this dict or any of the other directive dicts for this DN. Defaults to False.
  If you don't want to delete an attribute if present, but you also don't want to add it if it is missing or modify it if it is present, you can use either the 'default' directive or the 'add' directive with an empty value list.
- 'default'
  
  A dict mapping an attribute name to an iterable of default values for that attribute. If the attribute already exists, it is left alone. If not, it is created using the given list of values.
  An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the 'delete_others' key is True.
- 'add'
  
  Attribute values to add to the entry. This is a dict mapping an attribute name to an iterable of values to add.
  An empty value list is useful when you don't want to create an attribute if it is missing but you do want to preserve it if the 'delete_others' key is True.
- 'delete'
  
  Attribute values to remove from the entry. This is a dict mapping an attribute name to an iterable of values to delete from the attribute. If the iterable is empty, all of the attribute's values are deleted.
- 'replace'
  
  Attributes to replace. This is a dict mapping an attribute name to an iterable of values. Any existing values for the attribute are deleted, then the given values are added. The iterable may be empty.
In the above directives, the iterables of attribute values may instead be None, in which case an empty list is used, or a scalar such as a string or number, in which case a new list containing the scalar is used.

Note that if all attribute values are removed from an entry, the entire entry is deleted.
connect_spec -- See the description of the connect_spec parameter of the ldap3.connect function in the ldap3 execution module. If this is a dict and the 'url' entry is not specified, the 'url' entry is set to the value of the name parameter.

Returns:

A dict with the following keys:

'name'

This is the same object passed to the name parameter.
'changes'
This is a dict describing the changes made (or, in test mode, the changes that would have been attempted). If no changes were made (or no changes would have been attempted), then this dict is empty. Only successful changes are included.

Each key is a DN of an entry that was changed (or would have been changed). Entries that were not changed (or would not have been changed) are not included. The value is a dict with two keys:
- 'old'
  
  The state of the entry before modification. If the entry did not previously exist, this key maps to None. Otherwise, the value is a dict mapping each of the old entry's attributes to a list of its values before any modifications were made. Unchanged attributes are excluded from this dict.
- 'new'
  
  The state of the entry after modification. If the entry was deleted, this key maps to None. Otherwise, the value is a dict mapping each of the entry's attributes to a list of its values after the modifications were made. Unchanged attributes are excluded from this dict.
Example 'changes' dict where a new entry was created with a single attribute containing two values:
```
{'dn1': {'old': None,
         'new': {'attr1': ['val1', 'val2']}}}
```
Example 'changes' dict where a new attribute was added to an existing entry:
{'dn1': {'old': {}, 'new': {'attr2': ['val3']}}}
'result'
One of the following values:
- True if no changes were necessary or if all changes were applied successfully.
- False if at least one change was unable to be applied.
- None if changes would be applied but it is in test mode.

© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ldap.html