harbor
harbor copied to clipboard
goharbor
Supporting LDAP group attribute member attribute instead of user attribute memberof for authentication
Dear developers,
In our company we use OpenLDAP without the memberof user attribute because it is not supported.
LDAP by default (see RFC https://datatracker.ietf.org/doc/html/rfc4519#section-2.17) defines only a member attribute on groups and not a memberof attribute on users.
As we have no control over the companys LDAP configuration but need to authorize by LDAP groups in harbor, its important for us that the member group attributes gets supported in harbor. Memberof overlays are no option for us.
I have seen that there is MR for this feature, but it has not been approved or enhanced.
We would like to have this feature, as it is crucial for us to use the harbor registry in an enterprise environment.
Best, Oliver
Sources:
https://stackoverflow.com/questions/22003134/is-there-an-ldap-standard-group-membership-attribute-for-users https://github.com/goharbor/harbor/issues/9328 https://github.com/goharbor/harbor/pull/13501 https://datatracker.ietf.org/doc/html/rfc4519#section-2.17
Hi,
we are also facing this issue. I tried to summarize this a bit, since there are some issues / PRs already open.
As mentioned, the issue occurs when the ldap object looks like per RFC:
Group (contains two members):
dn: cn=projekt-power-dev,ou=groups,dc=example,dc=com
cn: projekt-power-dev
description:: UHJvamVrdCBEZXZlbG9wZXIgZsO8ciBkYXMgUHJvamVrdCBLw7xobHVuZw==
member: cn=Larry,ou=users,dc=example,dc=com
member: cn=Lenny,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
owner: cn=admin,dc=example,dc=com
User (no memberof overlay, so no reference to the groups from there):
dn: cn=Lenny,ou=users,dc=example,dc=com
cn: Lenny
displayname: Lenford Leonard
mail: [email protected]
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
sn: Lenny
userpassword: {MD5}xyz==
As far as I understand, harbor-core LDAP integration seems to only look at the user, in order to query the groups (memberof). There is no mechanism that queries the group to check if a user is member.
https://github.com/goharbor/harbor/blob/main/src/pkg/ldap/ldap.go#L174
I found an issue from 2019, which seems to be stale: https://github.com/goharbor/harbor/issues/9328
There is also a PR that adresses the issue, but since it covered not all cased it was not merged: https://github.com/goharbor/harbor/pull/13501
Other related issues / PRs I found:
- https://github.com/goharbor/harbor/issues/13780
- https://github.com/goharbor/harbor/pull/13851
As far as I understand, we would need an implementation that, if a group is defined in harbor, it checks the group if the user is member of it (e.g. check memberof, after that check the group).
Hi,
we are also facing this issue. I tried to summarize this a bit, since there are some issues / PRs already open.
As mentioned, the issue occurs when the ldap object looks like per RFC:
Group (contains two members):
dn: cn=projekt-power-dev,ou=groups,dc=example,dc=com
cn: projekt-power-dev
description:: UHJvamVrdCBEZXZlbG9wZXIgZsO8ciBkYXMgUHJvamVrdCBLw7xobHVuZw==
member: cn=Larry,ou=users,dc=example,dc=com
member: cn=Lenny,ou=users,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
owner: cn=admin,dc=example,dc=com
User (no memberof overlay, so no reference to the groups from there):
dn: cn=Lenny,ou=users,dc=example,dc=com
cn: Lenny
displayname: Lenford Leonard
mail: [email protected]
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
sn: Lenny
userpassword: {MD5}xyz==
As far as I understand, harbor-core LDAP integration seems to only look at the user, in order to query the groups (memberof). There is no mechanism that queries the group to check if a user is member.
https://github.com/goharbor/harbor/blob/main/src/pkg/ldap/ldap.go#L174
I found an issue from 2019, which seems to be stale: https://github.com/goharbor/harbor/issues/9328
There is also a PR that adresses the issue, but since it covered not all cased it was not merged: https://github.com/goharbor/harbor/pull/13501
Other related issues / PRs I found:
- https://github.com/goharbor/harbor/issues/13780
- https://github.com/goharbor/harbor/pull/13851
As far as I understand, we would need an implementation that, if a group is defined in harbor, it checks the group if the user is member of it (e.g. check memberof, after that check the group).
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
+1 to adding the ability to use a member attribute of the group for when the users object does not have any sort of membership attribute.
