salt.auth.ldap

Provide authentication using simple LDAP binds

depends:
  • ldap Python module
salt.auth.ldap.auth(username, password)

Simple LDAP auth

salt.auth.ldap.expand_ldap_entries(entries, opts=None)
Parameters:
  • entries -- ldap subtree in external_auth config option
  • opts -- Opts to use when __opts__ not defined
Returns:

Dictionary with all allowed operations

Takes the ldap subtree in the external_auth config option and expands it with actual minion names

webadmins%: <all users in the AD 'webadmins' group>
  • server1
    • .*

  • ldap(OU=webservers,dc=int,dc=bigcompany,dc=com) - test.ping - service.restart

  • ldap(OU=Domain Controllers,dc=int,dc=bigcompany,dc=com) - allowed_fn_list_attribute^

This function only gets called if auth.ldap.activedirectory = True

salt.auth.ldap.groups(username, **kwargs)

Authenticate against an LDAP group

Behavior is highly dependent on if Active Directory is in use.

AD handles group membership very differently than OpenLDAP. See the External Authentication documentation for a thorough discussion of available parameters for customizing the search.

OpenLDAP allows you to search for all groups in the directory and returns members of those groups. Then we check against the username entered.