Add LDAP-based git identity and SSSD config for immediate git config setup#274
Add LDAP-based git identity and SSSD config for immediate git config setup#274cmyers-mieweb wants to merge 1 commit intomainfrom
Conversation
Install ldap-utils and add LDAP client/config and a profile script to auto-configure git user.name/email from LDAP on first interactive login. Copies ldap.conf to /etc/ldap, adds /etc/profile.d/git-identity.sh which uses ldapsearch and NSS (sssd) gecos to set global git config, and adjusts sssd.conf to map cn -> gecos (ldap_user_gecos = cn). Also updates Dockerfile to install ldap-utils and include the new files.
|
|
||
| # Email from LDAP anonymous query | ||
| _GIT_SETUP_LDAP_HOST="${LDAP_URI:-ldaps://ldap1:636}" | ||
| _GIT_SETUP_LDAP_BASE="${LDAP_BASE_DN:-dc=docker,dc=internal}" |
There was a problem hiding this comment.
BaseDN is a problem here. We're allowing SSSD to do baseDN autodiscovery via rootDSE namingContext attribute. To match the SSSD config's baseDN, you would need to query the rootDSE, use namingContext if there's only one, otherwise use defaultNamingContext if theres multiple namingContexts otherwise fail (because SSSD would have failed too).
| command -v ldapsearch >/dev/null 2>&1 || return | ||
|
|
||
| # Skip if already configured — user-set values always take precedence | ||
| [ -n "$(git config --global user.email 2>/dev/null)" ] && return |
There was a problem hiding this comment.
We should probably only skip if user.email AND user.name are set globally.
| [ -n "$(git config --global user.email 2>/dev/null)" ] && return | ||
|
|
||
| _GIT_SETUP_USER="${USER:-$(id -un 2>/dev/null)}" | ||
| [ -z "$_GIT_SETUP_USER" ] && return |
There was a problem hiding this comment.
Can we bailout here as well if user is root? Just to avoid the unnessecary LDAP lookup?
|
|
||
| # Map LDAP cn attribute to the NSS gecos field so that tools like getent, | ||
| # finger, and the git-identity profile script can read the user's full name. | ||
| ldap_user_gecos = cn |
There was a problem hiding this comment.
The default value of this setting gecos works for our deployment. I don't want to complicate the sssd config more than nessecary.
2 participants
Resolves: #256
Installs ldap-utils and adds LDAP client/config and a profile script to auto-configure git user.name/email from LDAP on first interactive login.
Copies ldap.conf to /etc/ldap, adds /etc/profile.d/git-identity.sh which uses ldapsearch and NSS (sssd) gecos to set global git config, and adjusts sssd.conf to map cn -> gecos (ldap_user_gecos = cn).
Also updates Dockerfile to install ldap-utils and include the new files.
This should allow for any user logging into any container to have
git configpreset and ready to go. This should work on any template derived from the base image.