harbor icon indicating copy to clipboard operation
harbor copied to clipboard
verified publisher icon goharbor

harbor warns about not getting groups excluded by ldap group base dn

Open opticabjohannsen opened this issue 1 year ago • 7 comments

Harbor version 2.9.2

We have a setup, where our OpenLDAP server provides configurations for multiple services (Bitbucket, Jenkins etc) Further our groups are split into stages (dev, integration, prod) Within those groups we have duplicate group names (e.g jenkins_user)

cn=bitbucket_user,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local
cn=bitbucket_admin,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

Not all our users should have all groups. I now have the problem, that i created 2 new groups for our harbor users

cn=harbor_user,ou=harbor,ou=ops,ou=groups,dc=company,dc=local
cn=harbor_admin,ou=harbor,ou=ops,ou=groups,dc=company,dc=local

So i set the LDAP Group Base DN value to ou=harbor,ou=ops,ou=groups,dc=company,dc=local Everything works as expected. Users can login and are either user or admin depending on the group. BUT: on every login i get a message for EVERY single group that the user is a member of. Which in my users case are over 70

[WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN cn=bitbucket_user,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

[WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN cn=bitbucket_admin,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

Why is it even trying to read this group, the group base dn distinctly different. i tried multiple version of using base dn and LDAP Group Filter. The only solution i found was to allow all ldap groups below ou=groups,dc=company,dc=local, which then results in duplicate name warnings on every single login. As said it doesn't break anything. It's just anoying spam about information, that i don't need.

is there a way to:

  • suppress this warning
  • configure something to resolve the WARNING below a screenshot of my (working) ldap config

Screenshot_20240226_150740

opticabjohannsen avatar Feb 26 '24 13:02 opticabjohannsen

Could you please try this allow all ldap groups below ou=groups,dc=company,dc=local and change the LDAP group filter option to filter out the unused groups

stonezdj avatar Mar 01 '24 09:03 stonezdj

I changed LDAP Group Base DN to ou=groups,dc=company,dc=local and LDAP Group filter to cn=harbor_user I'm still getting messages for all other groups, that it could not read

opticabjohannsen avatar Mar 01 '24 10:03 opticabjohannsen

just a bump. issue still exists (at least on my installation)

opticabjohannsen avatar Apr 16 '24 07:04 opticabjohannsen

I experienced the same behavior with Harbor v2.9.4-a6d707df and FreeIPA.

My LDAP filtering is following: image

But I have lot of warnings in logs (entries are changed because of the security reasons), when I tried to login with user who is part or cn=harbor_admins,cn=groups,cn=accounts,dc=company,dc=local group:

Can not get the ldap group name with DN cn=devops,cn=groups,cn=accounts,dc=company,dc=local
Can not get the ldap group name with DN cn=project1_admins,cn=groups,cn=accounts,dc=company,dc=local
Can not get the ldap group name with DN cn=project2_users,cn=groups,cn=accounts,dc=company,dc=local

ansromanov avatar Apr 26 '24 07:04 ansromanov

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jun 25 '24 09:06 github-actions[bot]

As far as i can tel, the issue is still not solved

opticabjohannsen avatar Jun 26 '24 04:06 opticabjohannsen

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Aug 26 '24 09:08 github-actions[bot]