harbor: OIDC via ldap: failed to create user record user or email already exists

For a while now, we have intermittently the problem that one user cannot login via OIDC: failed to create user record: user "The user" or email "user@somewhere" already exists. This happens on a single user, whether automatic onboarding is enabled or not.

The message is actually correct, both user and mail are present in the system, for that very user. Checking the tables harbor_user and oidc_user, I don’t see any difference between users that work normally, and the one who doesn’t.

Previously, I deleted the user (didn’t own resources back then), and he on-boarded automatically again, but this hotfix won’t work in the future.

Currently on 2.4.1, according to the changelog 2.4.2 doesn’t promise differently.

So somehow the user isn’t re-detected, why? (ldap uid never changed)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 18 (3 by maintainers)

Most upvoted comments

Please check the following information.

docker exec -it harbor-db bash
psql -U postgres -d registry
# get user id
select * from harbor_user where username = 'John_Doe' 
# query subiss from oidc_user
select * from oidc_user where user_id = <user_id>

Check the current user’s OIDC auth token and find the subject and issuer, make sure the subject + issuer is identical to the subiss column in the database.

+1
stonezdj on Apr 15, 2022
Read more comments on GitHub
← harbor: Not able to use AWS IAM role in harbor registry with pre-release v2.5.0-rc1 for AWS S3 backend
harbor-operator: Too many replica set are created for registry-ctl component →