From b9ae603fd782ed40dc8c0e7a02fa49a81b8be8db Mon Sep 17 00:00:00 2001
From: Brad Thurber <brad.thurber@gmail.com>
Date: Thu, 26 May 2016 10:52:10 -0400
Subject: [PATCH] Add support for master eauth LDAP config

---
 pillar.example                      |  5 +++
 salt/files/master.d/f_defaults.conf | 62 +++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/pillar.example b/pillar.example
index 8392bc0..4414ed5 100644
--- a/pillar.example
+++ b/pillar.example
@@ -37,6 +37,11 @@ salt:
       ssl_key: /etc/pki/api/certs/server.key
       debug: False
       disable_ssl: False
+    ## for external auth - LDAP
+      # filter to use for Active Directory LDAP
+    auth.ldap.filter: {% raw %}'sAMAccountName={{username}}'{% endraw %}
+      # filter to use for Most other LDAP servers
+    auth.ldap.filter: {% raw %}'uid={{ username }}'{% endraw %}
 
   # salt minion config:
   minion:
diff --git a/salt/files/master.d/f_defaults.conf b/salt/files/master.d/f_defaults.conf
index 8a38d85..29b5f8a 100644
--- a/salt/files/master.d/f_defaults.conf
+++ b/salt/files/master.d/f_defaults.conf
@@ -439,6 +439,68 @@ client_acl_blacklist:
 # Do not disable this unless it is absolutely clear what this does.
 {{ get_config('rotate_aes_key', 'True') }}
 
+# Unique ID attribute name for the user. For Active Directory should be set
+# to 'sAMAccountName'. Default value is 'memberUid'.
+{{ get_config('auth.ldap.accountattributename', 'memberUid') }}
+
+# Set this to True if LDAP is Active Directory. Default is False
+{{ get_config('auth.ldap.activedirectory', False) }}
+
+# Bind to LDAP anonymously to determine group membership
+# Active Directory does not allow anonymous binds without special configuration
+{{ get_config('auth.ldap.anonymous', False) }}
+
+# The base DN under which users can be found in LDAP
+{{ get_config('auth.ldap.basedn', '') }}
+
+# The user Salt authenticates to search for a users' Distinguished Name and 
+# group membership.
+{{ get_config('auth.ldap.binddn', '') }}
+
+# The bind password to go along with the bind dn (binddn). 
+{{ get_config('auth.ldap.bindpw', '') }}
+
+# The filter used to find the DN associated with a user. For most LDAPs use
+# the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value 
+# {% raw %}'sAMAccountName={{username}}'{% endraw %}. 
+{{ get_config('auth.ldap.filter', '') }}
+
+# The attribute used for user group membership. Defaults to 'memberOf'
+{{ get_config('auth.ldap.groupattribute', 'memberOf') }}
+
+# LDAP group class. Use 'group' for Active Directory. Defaults to 'posixGroup'
+{{ get_config('auth.ldap.groupclass', 'posixGroup') }}
+
+# To specify an OU that contains group data. Not used for Active Directory
+# Default value: 'Groups'
+{{ get_config('auth.ldap.groupou', 'Groups') }}
+
+# Allows the administrator to strip off a certain set of domain names 
+# so the hostnames looked up in the directory service can match the minion IDs.
+{{ get_config('auth.ldap.minion_stripdomains', []) }}
+
+# Verify server's TLS certificate. Default value: False
+{{ get_config('auth.ldap.no_verify', False) }}
+
+# Only for Active Directory. Default value: 'person'
+{{ get_config('auth.ldap.persontype', 'person') }}
+
+# Port to connect via. Default value: '389'
+{{ get_config('auth.ldap.port', '389') }}
+
+# LDAP scope level, almost always 2. Default value: 2
+{{ get_config('auth.ldap.scope', 2) }}
+
+# Server to auth against. Default value: 'localhost'
+{{ get_config('auth.ldap.server', 'localhost') }}
+
+# Use TLS when connecting. Default value: False
+{{ get_config('auth.ldap.tls', False) }}
+
+# Server specified in URI format. Overrides .ldap.server, .ldap.port,
+# .ldap.tls. Default value: ''
+{{ get_config('auth.ldap.uri', '') }}
+
 #####     Salt-SSH Configuration     #####
 ##########################################