harbor: LDAP Search Operations Error

docker engine 1.11.2 and docker-compose 1.9.0 tried on both 0.4.5 and 0.5.0-rc1 of harbor

harbor.cfg

auth_mode = ldap_auth
ldap_url = ldap://example.com:389
ldap_searchdn = CN=powerusr,OU=Admin,DC=example,DC=com
ldap_search_pwd = secret
ldap_basedn = DC=example,DC=com
ldap_filter = (objectClass=person)
ldap_uid = sAMAccountName
ldap_scope = 3

When trying to login with the user myusr (or any AD user), Harbor throws an error

log

harbor-ui     | 2016-11-21T19:36:26Z [DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth
harbor-ui     | 2016-11-21T19:36:26Z [DEBUG] [ldap.go:53]: ldapURL:ldap://example.com:389
harbor-ui     | 2016-11-21T19:36:26Z [DEBUG] [ldap.go:64]: baseDn:DC=example,DC=com
harbor-ui     | 2016-11-21T19:36:26Z [DEBUG] [ldap.go:68]: Search DN: CN=powerusr,OU=Admin,DC=example,DC=com
harbor-ui     | 2016-11-21T19:36:26Z [DEBUG] [ldap.go:84]: one or more filter(&(objectClass=person)(sAMAccountName=myusr))
harbor-ui     | LDAP::Search() error : 1 (Operations error)
harbor-ui     | 2016-11-21T19:36:26Z [ERROR] [base.go:162]: Error occurred in UserLogin: LDAP::Search() error : 1 (Operations error)

As far as I can tell, my config is correct, because I can do an ldapsearch with those same parameters and have it return the correct info.

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 27 (9 by maintainers)

Most upvoted comments

Sorry I have not had a chance to look at it till today.

I built off the current HEAD of the dev branch and it works just fine! The new library seems to have fixed the issue. Thanks!

+1
cavemandaveman on Jan 18, 2017

great, thanks a lot… next step we will think about how to support LDAP better~

+1
yhua123 on Dec 6, 2016

The issue appears to be with using the base component of the LDAP hierarchy as the base DN and having the scope set to 2 or 3. The operations error is coming from the AD server after the search account successfully binds.

By changing the base DN to a top-level OU (e.g., ou=something,dc=example,dc=com), it works fine. I’m working around it now with this, but it’s not ideal as Harbor will have a different LDAP config than everything else in my environments that query LDAP. Not sure why the behavior difference between the openldap utils (e.g., ldapsearch) and whichever LDAP library Harbor is using.

broken:

Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [DEBUG] [ldap.go:53]: ldapURL:ldap://ad01.example.com Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [DEBUG] [ldap.go:64]: baseDn:dc=example,dc=com Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [DEBUG] [ldap.go:68]: Search DN: cn=site01-harbor-bind,ou=service-accounts,ou=site01,ou=sites,dc=example,dc=com Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [DEBUG] [ldap.go:84]: one or more filter(&(objectClass=person)(sAMAccountName=aparsons)) Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: LDAP::Search() error : 1 (Operations error) Nov 22 21:01:24 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:01:24Z [ERROR] [base.go:162]: Error occurred in UserLogin: LDAP::Search() error : 1 (Operations error)

working (note the difference in base DN):

Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:53]: ldapURL:ldap://ad01.example.com Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:64]: baseDn:ou=people,dc=example,dc=com Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:68]: Search DN: cn=site01-harbor-bind,ou=service-accounts,ou=site01,ou=sites,dc=example,dc=com Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:84]: one or more filter(&(objectClass=person)(sAMAccountName=aparsons)) Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:109]: found entry:{<nil> <nil> 0 <nil> CN=Aron Parsons,OU=people,dc=example,dc=com [{cn [Aron Parsons]} {mail [aparsons@example.com]}]} Nov 22 21:05:55 dkr01.site01.example.com docker-current/ui[10726]: 2016-11-23T02:05:55Z [DEBUG] [ldap.go:132]: username:aparsons,email:aparsons@example.com

+1
knackaron on Nov 23, 2016
Read more comments on GitHub
← harbor: k8s updates break Harbor Helm deployments
harbor: login panic when using elastic cache instead of internal redis →