Supporting LDAP group attribute member attribute instead of user attribute memberof for authentication #16918
Comments
stonezdj
added
help wanted
|
Hi, we are also facing this issue. I tried to summarize this a bit, since there are some issues / PRs already open. As mentioned, the issue occurs when the ldap object looks like per RFC: Group (contains two members): User (no memberof overlay, so no reference to the groups from there): As far as I understand, harbor-core LDAP integration seems to only look at the user, in order to query the groups (memberof). There is no mechanism that queries the group to check if a user is member. https://github.com/goharbor/harbor/blob/main/src/pkg/ldap/ldap.go#L174 I found an issue from 2019, which seems to be stale: #9328 There is also a PR that adresses the issue, but since it covered not all cased it was not merged: #13501 Other related issues / PRs I found:
As far as I understand, we would need an implementation that, if a group is defined in harbor, it checks the group if the user is member of it (e.g. check memberof, after that check the group). |
1 similar comment
|
Hi, we are also facing this issue. I tried to summarize this a bit, since there are some issues / PRs already open. As mentioned, the issue occurs when the ldap object looks like per RFC: Group (contains two members): User (no memberof overlay, so no reference to the groups from there): As far as I understand, harbor-core LDAP integration seems to only look at the user, in order to query the groups (memberof). There is no mechanism that queries the group to check if a user is member. https://github.com/goharbor/harbor/blob/main/src/pkg/ldap/ldap.go#L174 I found an issue from 2019, which seems to be stale: #9328 There is also a PR that adresses the issue, but since it covered not all cased it was not merged: #13501 Other related issues / PRs I found:
As far as I understand, we would need an implementation that, if a group is defined in harbor, it checks the group if the user is member of it (e.g. check memberof, after that check the group). |
|
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
|
+1 to adding the ability to use a member attribute of the group for when the users object does not have any sort of membership attribute. |
Dear developers,
In our company we use OpenLDAP without the memberof user attribute because it is not supported.
LDAP by default (see RFC https://datatracker.ietf.org/doc/html/rfc4519#section-2.17) defines only a member attribute on groups and not a memberof attribute on users.
As we have no control over the companys LDAP configuration but need to authorize by LDAP groups in harbor, its important for us that the member group attributes gets supported in harbor. Memberof overlays are no option for us.
I have seen that there is MR for this feature, but it has not been approved or enhanced.
We would like to have this feature, as it is crucial for us to use the harbor registry in an enterprise environment.
Best,
Oliver
Sources:
https://stackoverflow.com/questions/22003134/is-there-an-ldap-standard-group-membership-attribute-for-users
#9328
#13501
https://datatracker.ietf.org/doc/html/rfc4519#section-2.17
The text was updated successfully, but these errors were encountered: