Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[LDAP] harbor fails to resolve existing group #21127

Open
Jean-Daniel opened this issue Nov 4, 2024 · 7 comments
Open

[LDAP] harbor fails to resolve existing group #21127

Jean-Daniel opened this issue Nov 4, 2024 · 7 comments
Assignees
@stonezdj
Labels
area/ldap

Comments

@Jean-Daniel
Copy link

Expected behavior and actual behavior:

LDAP group are not found because the query built by Harbor is invalid.

This is the debug log:

2024-10-01T21:11:58Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: cn=developers,ou=Groups,dc=example,dc=com
2024-10-01T21:11:59Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(objectclass=groupOfNames)(cn=*))

For whatever reason, Harbor is building all group resolving query passing cn=* instead of keeping the real group DN, making the query returning 0 entries.

The LDAP record in OpenLDAP looks like this:

dn: cn=developers,ou=Groups,dc=example,dc=com
structuralObjectClass: groupOfNames
entryUUID: e426aa3a-acd2-1036-8978-df31319679d5
creatorsName: cn=admin,dc=example,dc=com
cn: developers
objectClass: groupOfNames

Versions:
Please specify the versions of following systems.

  • harbor version: 2.11
@stonezdj
Copy link
Contributor

stonezdj commented Nov 5, 2024

The filter (&(objectclass=groupOfNames)(cn=*)) should match this DN cn=developers,ou=Groups,dc=example,dc=com, can you please provide more detail log and error information?

@stonezdj stonezdj self-assigned this Nov 5, 2024
@paulschmeida
Copy link

I am facing the same issue with Active Directory, I've tried so many different settings but Harbor just won't get the groups from LDAP.
I don't think LDAP filter is a problem here, the filter is syntactically correct, albeit redundant. I think the problem is lack of group name in the resulting ldap query.

2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:240]: Membership attribute: MemberOf
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(ObjectClass=user)(memberOf=CN=RDS_Staff,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK))(CN=szmajp))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:1
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:162]: Current ldap entry attr name: cn
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:162]: Current ldap entry attr name: memberOf
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:177]: Found memberof CN=App_OpenMetadata,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:177]: Found memberof CN=RDS_Staff,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:177]: Found memberof CN=RDS,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:177]: Found memberof CN=RDS_Managers,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:162]: Current ldap entry attr name: mail
2024-11-05T09:41:19Z [DEBUG] [/core/auth/ldap/ldap.go:79]: Found ldap user: szmajp
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: CN=App_OpenMetadata,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(objectClass=group)(|(CN=RDS_Managers)(CN=RDS_Staff)))(CN=*))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0
2024-11-05T09:41:19Z [WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN CN=App_OpenMetadata,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: CN=RDS_Staff,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(objectClass=group)(|(CN=RDS_Managers)(CN=RDS_Staff)))(CN=*))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0
2024-11-05T09:41:19Z [WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN CN=RDS_Staff,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: CN=RDS,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(objectClass=group)(|(CN=RDS_Managers)(CN=RDS_Staff)))(CN=*))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0
2024-11-05T09:41:19Z [WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN CN=RDS,OU=Delegated Admin,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: CN=RDS_Managers,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(objectClass=group)(|(CN=RDS_Managers)(CN=RDS_Staff)))(CN=*))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0
2024-11-05T09:41:19Z [WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN CN=RDS_Managers,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: CN=ESRDept-SETT Centre,OU=GROUPS,OU=SUHT,DC=SUHTAD,DC=SUHT,DC=SWEST,DC=NHS,DC=UK
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(&(objectClass=group)(|(CN=RDS_Managers)(CN=RDS_Staff)))(CN=*))
2024-11-05T09:41:19Z [DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0

I think what's happening is Harbor gets the group DNs from the memberof property of the user and then tries to search for that group using the DN, but it doesn't work because the groupname is not populated, maybe?

I did try it with no filter and with only filtering for groups, to no avail. the filter is correct and works in other software. The issue seems to be with the ldap query not working correctly for groups.

@Jean-Daniel
Copy link
Author

I don't have much more information about it.

When trying to add a new Group, I have the following error:

[DEBUG] [/pkg/permission/evaluator/admin/admin.go:35]: system administrator jddupas require create action for resource /system/user-group
[DEBUG] [/pkg/ldap/ldap.go:347]: Groupname: , groupDN: cn=developers,ou=Groups,dc=example,dc=com
[DEBUG] [/pkg/ldap/ldap.go:259]: Search ldap with filter:(&(objectClass=groupOfNames)(cn=*))
[DEBUG] [/pkg/ldap/ldap.go:274]: Found entries:0
[DEBUG] [/lib/http/error.go:62]: {"errors":[{"code":"BAD_REQUEST","message":"LDAP Group DN is not found: DN:cn=developers,ou=Groups,dc=example,dc=com"}]}

LDAP group configuration:

LDAP Group Base DN : ou=Groups,dc=example,dc=com
LDAP Group Filter : objectClass=groupOfNames
LDAP Group GID : cn
LDAP Group Admin DN : 
LDAP Group Membership : memberof
LDAP Group Search Scope : Subtree

I tried with a without Group Filter.
I tried with all possible values for Search scope just in case.
When performing the same request with ldapsearch, I can fetch the groups.

My LDAP does not support anonymous search, so I have a configured a Search DN, which is working as user auth works.
Only groups lookup failed to resolve groups.

@Jean-Daniel
Copy link
Author

Jean-Daniel commented Nov 6, 2024
edited
Loading

I have log from the LDAP side. It looks like this is a scope issue.

Harbor erroneously use the LDAP Scope configuration instead of the LDAP Group Search Scope configuration when performing group lookup.

In my case, the User Scope was set to one level, causing the group lookup to send this query:

conn=1001 op=1 SRCH base="cn=developers,ou=Groups,dc=example,dc=com" scope=1 deref=0 filter="(cn=*)"

Changing the LDAP Scope to Base make it works for groups, but breaks the user lookup

@paulschmeida
Copy link

paulschmeida commented Nov 6, 2024 via email

@Jean-Daniel
Copy link
Author

Jean-Daniel commented Nov 6, 2024
edited
Loading

The warning log has already been updated to debug level instead in a recent commit ( #21034 ), and should disappear in the next release.

@Thesuperkingofsnakes22
Copy link

درود.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Jean-Daniel @stonezdj @paulschmeida @Thesuperkingofsnakes22