RES: [harbor-users] Configuring LDAP Auth retrieves random AD groups to Harbor


Julia Vitória Cardoso
 

Thanks for answering. Just checked the issues and found an open issue with this problem. Added informations there and will keep an eye on it.

 

Thanks again.

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

d8c2fa7e-ad4f-43e2-8e5d-8becd65c46ce

De: harbor-users@... <harbor-users@...> Em nome de daojunz via Lists.Cncf.Io
Enviada em: quarta-feira, 11 de março de 2020 10:08
Para: harbor-users@...
Assunto: Re: [harbor-users] Configuring LDAP Auth retrieves random AD groups to Harbor

 

Julia,

 

Could you please open an issue in github?

 

Best regards,

Stone (张道军)

Software Engineer, CNA, VMware R&D

 

-- 

 

 

From: <harbor-users@...> on behalf of "julia.cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Wednesday, March 11, 2020 at 8:46 PM
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Configuring LDAP Auth retrieves random AD groups to Harbor

 

Hello, and thanks you all for this amazing message group. 

Does anyone had an issue of ldap retrieving groups that were not supposed to be retrieved? 

We are facing an issue after configuring active directory to authenticate users in our Harbor fresh installation. The connection works just fine: We created a group to users who need the basic access, then the configuration in Harbor is using a LDAP filter to look after users in this group. This was the only way we could restrinct to only members of the group "harbor_access_whatever". Works just fine. 

The problem is that after logging with said users, harbor brings a lot of random groups from AD and sets them as a Harbor Group. When i say random groups, it means "Domain Users", "Whatever_other_tool_we_use_access", etc. I think one connection may be that the user that logs in harbor has access in this groups? I am not sure. 

Then I thought it was configuration problem of the groups retireving config, but no matter what I put there it does the same. I tried to: 
- Configure just the group i wanted to look at
- Let it empty
- Put an LDAP filter to validate if the groups are member of harbor specific group
- Manually deny reading permission at certain groups for the consulting user for harbor in Active Directory. 
- Deleting the groups direct on Postgres database. When user logs, groups come back from the ashes
- a lot of other things i do not remember. It was a lot of try and error. 

I am exausted, heh. Does anyone has an tip for me?

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.

Join harbor-users@lists.cncf.io to automatically receive all group messages.