harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

LDAP users cannot login to harbor site, TLS confidentiality required

Open CorrieVS opened this issue 2 years ago • 1 comments

I've been trying to setup my Harbor site for some time, but have not been able to login ldap users to the Harbor site. Interestingly, I can login with an ldap user to the docker registry via a bash shell session with docker login mydomain.com:port#

My ldap server uses STARTTLS and requires a self-signed certificate. I put a copy of the ldap certificate in harbor/common/config/shared/trust-certificates/. When configuring Harbor in the Web UI, I can test my ldap server and get "Connection to LDAP Server is Verified", and this works with "LDAP Verify Certificate" selected.

However, when I try to login to the website with an ldap user, the site reports it cannot find the user. When I take a look at the core.log file, I see:

[ERROR] [/core/controllers/base.go:101]: Error occurred in UserLogin: can not bind search dn, error: LDAP Result Code 13 "Confidentiality Required": TLS confidentiality required

Has anyone come across this issue before? Is there any problem with using STARTTLS with Harbor??

I can provide more details with some guidance on what info is needed...

CorrieVS avatar Feb 15 '24 22:02 CorrieVS

Just to add to this, usually when you query an LDAP server that uses STARTTLS, you need to use the "-Z" parameter. STARTTLS does not require ldaps. So, I'm wondering if harbor is not building the request with "-Z"?

CorrieVS avatar Feb 20 '24 17:02 CorrieVS

Ok, I've worked through this issue. Currently Harbor does not support using STARTTLS - it does not make the api call when initializing the connection to the ldap server. Someone could possibly add this functionality, if they were so inclined, by issuing a StartTLS extended operation call in "src/pkg/ldap/ldap.go". This should happen after the initial bind, but before accessing the database. I believe the relevant commands are akin to

from ldap3 import Server, Connection, Tls
...

tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1_2)
conn.start_tls(tls_configuration)

In my case, it was easier just to update my linux ldap server. I use openldap, so for me this was simply adding the LDAPS service to a config and restarting the slapd service:

Edit /etc/default/slapd by adding ldaps:/// in the list of SLAPD_SERVICES

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Restart slapd

sudo systemctl restart slapd

Test the connection with

ldapwhoami -x -H ldaps://<server_address>

The command above should return "anonymous".

CorrieVS avatar Feb 29 '24 00:02 CorrieVS