Re: Configuring LDAP Auth retrieves random AD groups to Harbor


daojunz
 

Julia,

 

Could you please open an issue in github?

 

Best regards,

Stone (张道军)

Software Engineer, CNA, VMware R&D

 

-- 

 

 

From: <harbor-users@...> on behalf of "julia.cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Wednesday, March 11, 2020 at 8:46 PM
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Configuring LDAP Auth retrieves random AD groups to Harbor

 

Hello, and thanks you all for this amazing message group. 

Does anyone had an issue of ldap retrieving groups that were not supposed to be retrieved? 

We are facing an issue after configuring active directory to authenticate users in our Harbor fresh installation. The connection works just fine: We created a group to users who need the basic access, then the configuration in Harbor is using a LDAP filter to look after users in this group. This was the only way we could restrinct to only members of the group "harbor_access_whatever". Works just fine. 

The problem is that after logging with said users, harbor brings a lot of random groups from AD and sets them as a Harbor Group. When i say random groups, it means "Domain Users", "Whatever_other_tool_we_use_access", etc. I think one connection may be that the user that logs in harbor has access in this groups? I am not sure. 

Then I thought it was configuration problem of the groups retireving config, but no matter what I put there it does the same. I tried to: 
- Configure just the group i wanted to look at
- Let it empty
- Put an LDAP filter to validate if the groups are member of harbor specific group
- Manually deny reading permission at certain groups for the consulting user for harbor in Active Directory. 
- Deleting the groups direct on Postgres database. When user logs, groups come back from the ashes
- a lot of other things i do not remember. It was a lot of try and error. 

I am exausted, heh. Does anyone has an tip for me?

Join harbor-users@lists.cncf.io to automatically receive all group messages.