Add LDAP-based git identity and SSSD config for immediate git config setup#274
Open
cmyers-mieweb wants to merge 4 commits intomainfrom
Open
Add LDAP-based git identity and SSSD config for immediate git config setup#274cmyers-mieweb wants to merge 4 commits intomainfrom
cmyers-mieweb wants to merge 4 commits intomainfrom
Conversation
Install ldap-utils and add LDAP client/config and a profile script to auto-configure git user.name/email from LDAP on first interactive login. Copies ldap.conf to /etc/ldap, adds /etc/profile.d/git-identity.sh which uses ldapsearch and NSS (sssd) gecos to set global git config, and adjusts sssd.conf to map cn -> gecos (ldap_user_gecos = cn). Also updates Dockerfile to install ldap-utils and include the new files.
runleveldev
requested changes
Apr 8, 2026
images/base/git-identity.sh
Outdated
|
|
||
| # Email from LDAP anonymous query | ||
| _GIT_SETUP_LDAP_HOST="${LDAP_URI:-ldaps://ldap1:636}" | ||
| _GIT_SETUP_LDAP_BASE="${LDAP_BASE_DN:-dc=docker,dc=internal}" |
Collaborator
There was a problem hiding this comment.
BaseDN is a problem here. We're allowing SSSD to do baseDN autodiscovery via rootDSE namingContext attribute. To match the SSSD config's baseDN, you would need to query the rootDSE, use namingContext if there's only one, otherwise use defaultNamingContext if theres multiple namingContexts otherwise fail (because SSSD would have failed too).
Collaborator
Author
There was a problem hiding this comment.
Created some conditionals to resolve this issue.
# Resolve baseDN the same way SSSD does: rootDSE namingContexts autodiscovery.
# Use LDAP_BASE_DN if explicitly set; otherwise query rootDSE.
# - Single namingContexts entry -> use it directly
# - Multiple namingContexts -> use defaultNamingContext
# - Neither resolvable -> abort
if [ -n "${LDAP_BASE_DN:-}" ]; then
_GIT_SETUP_LDAP_BASE="$LDAP_BASE_DN"
else
_GIT_SETUP_ROOTDSE=$(ldapsearch -x -H "$_GIT_SETUP_LDAP_HOST" -b "" -s base namingContexts defaultNamingContext 2>/dev/null)
_GIT_SETUP_NC_COUNT=$(echo "$_GIT_SETUP_ROOTDSE" | grep -c '^namingContexts:')
if [ "$_GIT_SETUP_NC_COUNT" -eq 1 ]; then
_GIT_SETUP_LDAP_BASE=$(echo "$_GIT_SETUP_ROOTDSE" | awk '/^namingContexts:/{print $2; exit}')
elif [ "$_GIT_SETUP_NC_COUNT" -gt 1 ]; then
_GIT_SETUP_LDAP_BASE=$(echo "$_GIT_SETUP_ROOTDSE" | awk '/^defaultNamingContext:/{print $2; exit}')
fi
unset _GIT_SETUP_ROOTDSE _GIT_SETUP_NC_COUNT
fi
[ -z "${_GIT_SETUP_LDAP_BASE:-}" ] && return
images/base/git-identity.sh
Outdated
| command -v ldapsearch >/dev/null 2>&1 || return | ||
|
|
||
| # Skip if already configured — user-set values always take precedence | ||
| [ -n "$(git config --global user.email 2>/dev/null)" ] && return |
Collaborator
There was a problem hiding this comment.
We should probably only skip if user.email AND user.name are set globally.
Collaborator
Author
There was a problem hiding this comment.
changed to
[ -n "$(git config --global user.email 2>/dev/null)" ] && [ -n "$(git config --global user.name 2>/dev/null)" ] && return
| [ -n "$(git config --global user.email 2>/dev/null)" ] && return | ||
|
|
||
| _GIT_SETUP_USER="${USER:-$(id -un 2>/dev/null)}" | ||
| [ -z "$_GIT_SETUP_USER" ] && return |
Collaborator
There was a problem hiding this comment.
Can we bailout here as well if user is root? Just to avoid the unnessecary LDAP lookup?
Collaborator
Author
There was a problem hiding this comment.
_GIT_SETUP_USER="${USER:-$(id -un 2>/dev/null)}"
[ -z "$_GIT_SETUP_USER" ] && return
[ "$_GIT_SETUP_USER" = "root" ] && return
|
|
||
| # Map LDAP cn attribute to the NSS gecos field so that tools like getent, | ||
| # finger, and the git-identity profile script can read the user's full name. | ||
| ldap_user_gecos = cn |
Collaborator
There was a problem hiding this comment.
The default value of this setting gecos works for our deployment. I don't want to complicate the sssd config more than nessecary.
Collaborator
Author
There was a problem hiding this comment.
I went ahead and removed these lines
cmyers-mieweb
commented
Apr 8, 2026
Install ldap-utils and add LDAP client/config and a profile script to auto-configure git user.name/email from LDAP on first interactive login. Copies ldap.conf to /etc/ldap, adds /etc/profile.d/git-identity.sh which uses ldapsearch and NSS (sssd) gecos to set global git config, and adjusts sssd.conf to map cn -> gecos (ldap_user_gecos = cn). Also updates Dockerfile to install ldap-utils and include the new files.
cmyers-mieweb
force-pushed
the
cmyers_wazuh-int
branch
from
6229f03 to
acda133
Compare
Enhance git-identity.sh to be more robust: only skip when both global user.name and user.email are set, ignore root, resolve LDAP baseDN via RootDSE (namingContexts / defaultNamingContext) when LDAP_BASE_DN isn't provided, and set user.name (from NSS gecos) and user.email (from LDAP) independently. Clean up temporary variables. Also remove the explicit ldap_user_gecos = cn mapping from sssd.conf since SSSD reads gecos by default; aligns git identity logic with SSSD behavior and handles multi-entry namingContexts.
…ce-server into cmyers_git-integration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: #256
Installs ldap-utils and adds LDAP client/config and a profile script to auto-configure git user.name/email from LDAP on first interactive login.
Copies ldap.conf to /etc/ldap, adds /etc/profile.d/git-identity.sh which uses ldapsearch and NSS (sssd) gecos to set global git config, and adjusts sssd.conf to map cn -> gecos (ldap_user_gecos = cn).
Also updates Dockerfile to install ldap-utils and include the new files.
This should allow for any user logging into any container to have
git configpreset and ready to go. This should work on any template derived from the base image.