Skip to content

Instantly share code, notes, and snippets.

@voxmaster

voxmaster/ad_users.sls

Created August 4, 2018 13:31
Show Gist options
  • Save voxmaster/0e45b1a72b3ad37c9239e50843bc3af1 to your computer and use it in GitHub Desktop.
Save voxmaster/0e45b1a72b3ad37c9239e50843bc3af1 to your computer and use it in GitHub Desktop.
Download ZIP
Saltstack - State file for users from Active Directory
Raw
ad_users.sls
# Execute USERS PRESENT for each user, who is a member of Active Directory Group, which matches the beginning of minion ID,
# like: salt-[projectName]-[service]-[environment]-[moreAttrs]*
{% if 'ad_salt_users' in pillar %}
{% for ad_salt_user in pillar['ad_salt_users'] %}
# SETTING FLAG VAR
{% set is_present = { 'flag': False } %}
{% for ad_user_group in ad_salt_user['memberOf'] %}
{% for group in pillar['ad_salt_groups'] if not group['distinguishedName']!=ad_user_group %}
# this line is for case if regex_match not working
{#% if group['cn'] in grains['id'] %#}
{% if grains['id'] | regex_match(group['cn'] + '(.*)', ignorecase=True) %}
# IF USER IS A MEMBER OF THIS MINION GROUP then SET FLAG TO TRUE
{%- if is_present.update({'flag':True}) %}{%- endif %}
## APPLYING AD USER ATTRIBUTES TO LINUX USER
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user:
user.present:
- name: {{ ad_salt_user['sAMAccountName'] }}
{% if 'displayName' in ad_salt_user %}
- fullname: {{ ad_salt_user['displayName'] }}
{% endif %}
{% if 'l' in ad_salt_user %}
- roomnumber: {{ ad_salt_user['l'] }}
{% endif %}
{% if 'telephoneNumber' in ad_salt_user %}
- workphone: {{ ad_salt_user['telephoneNumber'] }}
{% endif %}
{% if 'mobile' in ad_salt_user %}
- homephone: {{ ad_salt_user['mobile'] }}
{% endif %}
{% if 'loginShell' in ad_salt_user %}
- shell: {{ ad_salt_user['loginShell'] }}
{% endif %}
{% if 'unixHomeDirectory' in ad_salt_user %}
- home: {{ ad_salt_user['unixHomeDirectory'] }}
{% endif %}
{% if 'groupPriority' in ad_salt_user %}
- groups:
{% for group_attribute_in_ad in ad_salt_user['groupPriority'] %}
- {{ group_attribute_in_ad }}
{% endfor %}
{% endif %}
# SSH PUB-KEY of USER
{% if 'altSecurityIdentities' in ad_salt_user %}
# clear previous file with ssh keys:
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key_clean:
file.managed:
- name: '/home/{{ ad_salt_user['sAMAccountName'] }}/.ssh/authorized_keys'
- user: {{ ad_salt_user['sAMAccountName'] }}
- group: {{ ad_salt_user['sAMAccountName'] }}
- makedirs: True
- require:
- user: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user
- contents:
- ""
# end clear
# applying new ssh keys
{{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key:
ssh_auth.present:
- user: {{ ad_salt_user['sAMAccountName'] }}
- names: {{ ad_salt_user['altSecurityIdentities'] }}
- require:
- user: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_user
- file: {{ ad_salt_user['sAMAccountName'] }}_{{ group['cn'] }}_ssh_key_clean
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}
# REMOVE USER from minion if this user is not a member of corresponding AD group
# (check if at least one of user groups matches minion, if not - remove user)
{% if is_present.flag == false %}
{{ ad_salt_user['sAMAccountName'] }}_on_{{ grains['id'] }}_user_absent:
user.absent:
- name: {{ ad_salt_user['sAMAccountName'] }}
{% endif %}
{% endfor %}
{% endif %}
# REMOVE USER IN ALL MINIONS if user is Disabled in Active Directory
{% if 'ad_salt_users_disabled' in pillar %}
{% for ad_salt_user in pillar['ad_salt_users-disabled'] %}
{{ ad_salt_user['sAMAccountName'] }}_user_disabled:
user.absent:
- name: {{ ad_salt_user['sAMAccountName'] }}
{% endfor %}
{% endif %}
# APPLY TO ALL MINIONS:
# Sudoers do not prompt for password
/etc/sudoers.d/sudonopasswd:
file.managed:
- user: root
- group: root
- mode: 440
- contents:
- "%sudo ALL = (ALL) NOPASSWD: ALL"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment