harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

Change from one external idp to another (ie: LDAP to OIDC)

Open GLZjd4NMPVucBIvbWs opened this issue 4 years ago • 3 comments

We would like the ability to modify our login method from LDAP to OIDC. It has been attempted but the process is ungainly and painful. It's not really feasible to remove all users, including juggling the ownership of projects/repos, in order to meet the 'no users other than admin' criteria for changing authentication.

Is there any plan to support something like this?

GLZjd4NMPVucBIvbWs avatar Nov 30 '21 18:11 GLZjd4NMPVucBIvbWs

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 05 '22 09:07 github-actions[bot]

I was about to wirte a similar request, but found this Issue: I would like to change my login type from LDAP to OIDC.

User names provided with OIDC and LDAP are the same. I searched but did not find guide/how to for this.

I tried to achieve this with the API, but i am stuck at setting memberships for OIDC users that have not logged in. see also: https://github.com/goharbor/harbor/issues/15556 and https://github.com/goharbor/harbor/issues/16047 Telling 50 User to login before i can (re)set user roles for projects is at least not practical.

Alternative Database migration: Can i modify the database ldap user and group entries to oidc entries and keep user id and group id (that my Projekt members and roles are still intact)?

Harbor Version: 2.8.3 with External Postgres DB.

EHEX-schildt avatar Aug 16 '23 06:08 EHEX-schildt

We are having trouble with the 'no users other than admin' condition as well. It makes the process way harder than it should be

LGhoull avatar Jun 19 '24 06:06 LGhoull

Can we please have a statement from Harbor developers here? We're also looking into switching from LDAP to OIDC, would be cool if Harbor had support for such migration.

br0ziliy avatar Jan 31 '25 09:01 br0ziliy

A Workaround is to switch to only group based membership's:

  1. Replace all user based membership's with (oidc)group based membership's
  2. delete all users and Setup OIDC with Group Claim Name etc.

This way when a user login via OIDC the first time he get all permissons via oidc group's

EHEX-schildt avatar Jan 31 '25 10:01 EHEX-schildt