Created
August 4, 2018 13:31
-
-
Save voxmaster/0e45b1a72b3ad37c9239e50843bc3af1 to your computer and use it in GitHub Desktop.
Saltstack - State file for users from Active Directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Execute USERS PRESENT for each user, who is a member of Active Directory Group, which matches the beginning of minion ID, | |
# like: salt-[projectName]-[service]-[environment]-[moreAttrs]* | |
{% if 'ad_salt_users' in pillar %} | |
{% for ad_salt_user in pillar['ad_salt_users'] %} | |
# SETTING FLAG VAR | |
{% set is_present = { 'flag': False } %} | |
{% for ad_user_group in ad_salt_user['memberOf'] %} | |
{% for group in pillar['ad_salt_groups'] if not group['distinguishedName']!=ad_user_group %} | |
# this line is for case if regex_match not working | |
{#% if group['cn'] in grains['id'] %#} | |
{% if grains['id'] | regex_match(group['cn'] + '(.*)', ignorecase=True) %} | |
# IF USER IS A MEMBER OF THIS MINION GROUP then SET FLAG TO TRUE | |
{%- if is_present.update({'flag':True}) %}{%- endif %} | |
## APPLYING AD USER ATTRIBUTES TO LINUX USER | |
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user: | |
user.present: | |
- name: {{ ad_salt_user['sAMAccountName'] }} | |
{% if 'displayName' in ad_salt_user %} | |
- fullname: {{ ad_salt_user['displayName'] }} | |
{% endif %} | |
{% if 'l' in ad_salt_user %} | |
- roomnumber: {{ ad_salt_user['l'] }} | |
{% endif %} | |
{% if 'telephoneNumber' in ad_salt_user %} | |
- workphone: {{ ad_salt_user['telephoneNumber'] }} | |
{% endif %} | |
{% if 'mobile' in ad_salt_user %} | |
- homephone: {{ ad_salt_user['mobile'] }} | |
{% endif %} | |
{% if 'loginShell' in ad_salt_user %} | |
- shell: {{ ad_salt_user['loginShell'] }} | |
{% endif %} | |
{% if 'unixHomeDirectory' in ad_salt_user %} | |
- home: {{ ad_salt_user['unixHomeDirectory'] }} | |
{% endif %} | |
{% if 'groupPriority' in ad_salt_user %} | |
- groups: | |
{% for group_attribute_in_ad in ad_salt_user['groupPriority'] %} | |
- {{ group_attribute_in_ad }} | |
{% endfor %} | |
{% endif %} | |
# SSH PUB-KEY of USER | |
{% if 'altSecurityIdentities' in ad_salt_user %} | |
# clear previous file with ssh keys: | |
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key_clean: | |
file.managed: | |
- name: '/home/{{ ad_salt_user['sAMAccountName'] }}/.ssh/authorized_keys' | |
- user: {{ ad_salt_user['sAMAccountName'] }} | |
- group: {{ ad_salt_user['sAMAccountName'] }} | |
- makedirs: True | |
- require: | |
- user: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user | |
- contents: | |
- "" | |
# end clear | |
# applying new ssh keys | |
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key: | |
ssh_auth.present: | |
- user: {{ ad_salt_user['sAMAccountName'] }} | |
- names: {{ ad_salt_user['altSecurityIdentities'] }} | |
- require: | |
- user: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user | |
- file: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key_clean | |
{% endif %} | |
{% endif %} | |
{% endfor %} | |
{% endfor %} | |
# REMOVE USER from minion if this user is not a member of corresponding AD group | |
# (check if at least one of user groups matches minion, if not - remove user) | |
{% if is_present.flag == false %} | |
{{ ad_salt_user['sAMAccountName'] }}_on_{{ grains['id'] }}_user_absent: | |
user.absent: | |
- name: {{ ad_salt_user['sAMAccountName'] }} | |
{% endif %} | |
{% endfor %} | |
{% endif %} | |
# REMOVE USER IN ALL MINIONS if user is Disabled in Active Directory | |
{% if 'ad_salt_users_disabled' in pillar %} | |
{% for ad_salt_user in pillar['ad_salt_users-disabled'] %} | |
{{ ad_salt_user['sAMAccountName'] }}_user_disabled: | |
user.absent: | |
- name: {{ ad_salt_user['sAMAccountName'] }} | |
{% endfor %} | |
{% endif %} | |
# APPLY TO ALL MINIONS: | |
# Sudoers do not prompt for password | |
/etc/sudoers.d/sudonopasswd: | |
file.managed: | |
- user: root | |
- group: root | |
- mode: 440 | |
- contents: | |
- "%sudo ALL = (ALL) NOPASSWD: ALL" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment