Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Search failing during nested group search with "Bad search filter" #9110

Closed
charlottestjohn opened this issue Sep 16, 2019 · 14 comments
Closed

LDAP Search failing during nested group search with "Bad search filter" #9110

charlottestjohn opened this issue Sep 16, 2019 · 14 comments
Assignees
@stonezdj

Comments

@charlottestjohn
Copy link

charlottestjohn commented Sep 16, 2019
edited
Loading

Trying to setup Harbor LDAP authentication, and running into an issue that I'm not sure I understand.

Here's my configuration values:

Key Value
Auth Mode LDAP
LDAP URL ldap://oururl:389
LDAP Search DN blank
LDAP Search Password blank
LDAP Base DN ou=people,dc=company,dc=local
LDAP Filter blank
LDAP UID uid
LDAP Scope OneLevel
LDAP Group Base DN ou=groups,dc=company,dc=local
LDAP Group Filter blank
LDAP Group GID cn
LDAP Group Admin DN blank
LDAP Group Membership memberOf
LDAP Group Scope OneLevel
LDAP Verify Certificate checked

When my users log in, the logs show this:

2019-09-16T20:42:30Z [DEBUG] [/common/dao/user.go:277]: Check if user myusername is super user
2019-09-16T20:42:30Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-09-16T20:42:30Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_search_dn, error: the configure value is not set
2019-09-16T20:42:30Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:363]: ldap filter :(uid=myusername)
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(uid=myusername)
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:1
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group1,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group2,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group3,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group4,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group5,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group6,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group7,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:224]: Searching for nested groups
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=uid=myusername,ou=people,dc=company,dc=local))
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:0
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:336]: LDAP search errorLDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-16T20:42:30Z [WARNING] [/core/auth/ldap/ldap.go:65]: ldap search fail: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-16T20:42:30Z [ERROR] [/core/controllers/base.go:108]: Error occurred in UserLogin: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter

Is there another setting we could be using that would make this work? The search appears to work just fine for finding the user, and finding the groups, but not on the final nested groups search. We also don't use nested groups - would that be something we could config to off?

Harbor Version v1.9.0-76f15806
@charlottestjohn
Copy link
Author

What's also mildly interesting, is that when I change the key values to below, I get the same issues, even to the point where the nested search filter uses ou=people, even though I've deleted ou=people from the LDAP Base DN

Key Value
Auth Mode LDAP
LDAP URL ldap://oururl:389
LDAP Search DN blank
LDAP Search Password blank
LDAP Base DN dc=company,dc=local
LDAP Filter objectclass=person
LDAP UID uid
LDAP Scope OneLevel
LDAP Group Base DN ou=groups,dc=company,dc=local
LDAP Group Filter blank
LDAP Group GID cn
LDAP Group Admin DN blank
LDAP Group Membership memberOf
LDAP Group Scope OneLevel
LDAP Verify Certificate checked

@charlottestjohn
Copy link
Author

And I have tried with LDAP Scope and LDAP Group Scope at Base, Subtree, and OneLevel

@mfld
Copy link

mfld commented Sep 17, 2019
edited
Loading

Hello, I too have this error when trying to integrate with ldap on free-ipa.

Key Value
Auth Mode LDAP
LDAP URL ldap://oururl:389
LDAP Search DN uid=username,cn=users,cn=accounts,dc=company,dc=local
LDAP Search Password *********
LDAP Base DN dc=company,dc=local
LDAP Filter objectclass=person
LDAP UID uid
LDAP Scope OneLevel
LDAP Group Base DN ou=groups,dc=company,dc=local
LDAP Group Filter objectclass=groupofnames
LDAP Group GID cn
LDAP Group Admin DN cn=admins,cn=groups,cn=accounts,dc=company,dc=local
LDAP Group Membership memberOf
LDAP Group Scope OneLevel
LDAP Verify Certificate checked

results in (regardless of scope-settings):
[ERROR] [/core/controllers/base.go:107]: Error occurred in UserLogin: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter

  • the error seems tied to the first LDAP filter setting.

harbor Version v1.9.0-d13cf448

@wiegandsh wiegandsh mentioned this issue Sep 18, 2019
Closed
@stonezdj
Copy link
Contributor

It seems this issue related to the PR #8378, the nest group filter doesn't work in some LDAP server

@jniewt
Copy link

jniewt commented Sep 19, 2019

Is this going to be fixed? We are also running into this problem with Free IPA. Is there a workaround?

@Poil
Copy link

Poil commented Sep 19, 2019
edited
Loading

Hi,

Same bug here with 1.9.0 was working in 1.8.x
(I don't use group)

@Poil Poil mentioned this issue Sep 19, 2019
Closed
@zhaofengli
Copy link

Is there a simple way to downgrade Harbor? It always tries to run the database migration scripts, which don't exist. Perhaps a scary, long CLI flag can be added to aid in these situations.

I'm trying not to cry, but this broke production for us.

@hanswu23
Copy link

It looks like an AD specific search has been added:

51eb8bc#diff-10b1fa8fc186f561edae8dc96ac6cc39

Correct me if I'm wrong, but 1.2.840.113556.1.4.1941 is an AD specific matching rule and there should be no expectation for FreeIPA or 389DS to support it:

https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN

Are there any plans to turn off this search for LDAP servers that aren't AD?

@gunboe
Copy link

gunboe commented Sep 21, 2019

Same issue here with OpenLDAP:

Key Value
Auth Mode LDAP
LDAP URL ldap://***:389
LDAP Search DN uid=harbor-user,ou=**,ou=**,dc=**,dc=**,dc=***
LDAP Search Password ****
LDAP Base DN dc=**,dc=**,dc=***
LDAP Filter (objectClass=***)
LDAP UID uid
LDAP Scope Subtree
LDAP Group Base DN blank
LDAP Group Filter blank
LDAP Group GID blank
LDAP Group Admin DN blank
LDAP Group Membership memberOf
LDAP Group Scope OneLevel
LDAP Verify Certificate Notchecked

@elevesque-sfr
Copy link

Hello.

Same issue here with Oracle DS.
It was working with version 1.8.1.

Key Value
Auth Mode LDAP
LDAP URL ldap://oururl:389
LDAP Search DN uid=username,cn=users,cn=accounts,dc=company,dc=local
LDAP Search Password ****
LDAP Base DN DC=*,DC=*
LDAP Filter blank
LDAP UID uid
LDAP Scope Subtree
LDAP Group Base DN ou=applications,dc=*,dc=*
LDAP Group Filter objectclass=groupOfUniqueNames
LDAP Group GID cn
LDAP Group Admin DN blank
LDAP Group Membership uniqueMember
LDAP Group Scope Subtree
LDAP Verify Certificate Notchecked 
2019-09-27T14:33:35Z [DEBUG] [/common/dao/user.go:269]: Check if user elevesque is super user
2019-09-27T14:33:35Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-09-27T14:33:35Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-09-27T14:33:35Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_filter, error: the configure value is not set
2019-09-27T14:33:35Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-09-27T14:33:35Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:363]: ldap filter :(uid=elevesque)
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: uniqueMember
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(uid=elevesque)
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:1
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:224]: Searching for nested groups
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: uniqueMember
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951, ou=Persons,dc=cegetel,dc=org))
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:0
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:336]: LDAP search errorLDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-27T14:33:35Z [WARNING] [/core/auth/ldap/ldap.go:65]: ldap search fail: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-27T14:33:35Z [ERROR] [/core/controllers/base.go:107]: Error occurred in UserLogin: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter

With ldapsearch.

[eric@macross ~]$ ldapsearch -h oururl -p 389 -x -D "uid=*,ou=*,dc=*,dc=*" -b "ou=applications,dc=*,dc=*" "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951,ou=Persons,dc=*,dc=*))"
# extended LDIF
#
# LDAPv3
# base <ou=applications,dc=*,dc=*> with scope subtree
# filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951,ou=Persons,dc=*,dc=*))
# requesting: ALL
#

# search result
search: 2
result: 12 Critical extension is unavailable
text: Bad search filter

# numResponses: 1

[eric@macross ~]$ ldapsearch -h oururl -p 389 -x -D "uid=*,ou=*,dc=*,dc=*" -b "ou=applications,dc=*,dc=*" "(&(objectClass=group)(PerId=99951,ou=Persons,dc=*,dc=*))"
# extended LDIF
#
# LDAPv3
# base <ou=applications,dc=*,dc=*> with scope subtree
# filter: (&(objectClass=group)(PerId=99951, ou=Persons,dc=*,dc=*))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

@CoaxVex
Copy link

CoaxVex commented Oct 1, 2019

I've built an image with the nested group code commented out. If you're brave enough to give it a try, replace the image spec in your docker-compose.yml:

  core:
    image: nilsc/harbor-core:v1.9.0

@elevesque-sfr
Copy link

It works.

2019-10-01T21:29:59Z [DEBUG] [/common/dao/user.go:269]: Check if user elevesque is super user
2019-10-01T21:29:59Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-10-01T21:29:59Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-10-01T21:29:59Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_filter, error: the configure value is not set
2019-10-01T21:29:59Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-10-01T21:29:59Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:365]: ldap filter :(uid=elevesque)
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:301]: Membership attribute: uniqueMember
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:317]: Search ldap with filter:(uid=elevesque)
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:332]: Found entries:1
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-10-01T21:29:59Z [DEBUG] [/core/auth/ldap/ldap.go:76]: Found ldap user {Username:elevesque Email:eric.levesque@sfr.com Realname:Eric LEVESQUE DN:PerId=99951, ou=Persons,dc=*,dc=* GroupDNList:[]}

Screenshot from 2019-10-01 23-35-40

@jstewart612
Copy link

@CoaxVex did you submit a PR?

@CoaxVex
Copy link

CoaxVex commented Oct 7, 2019

@CoaxVex did you submit a PR?

No, I just disabled the nested group functionality: https://gist.github.com/CoaxVex/68a48d444a9e9256ceab892d57db5feb

This was referenced Oct 11, 2019
Closed
Merged
stonezdj added a commit to stonezdj/harbor that referenced this issue Oct 21, 2019
@stonezdj
Remove the nested group search
02f3108 
Remove the code change in goharbor#8378, because the previous code change caused issues: goharbor#9092, goharbor#9110, goharbor#9326
Signed-off-by: stonezdj stonezdj@gmail.com
stonezdj added a commit to stonezdj/harbor that referenced this issue Oct 21, 2019
@stonezdj
Remove the nested group search
9d5e862 
Remove the code change in goharbor#8378, because the previous code change caused issues: goharbor#9092, goharbor#9110, goharbor#9326
Signed-off-by: stonezdj <stonezdj@gmail.com>
stonezdj added a commit to stonezdj/harbor that referenced this issue Oct 21, 2019
@stonezdj
Remove the nested group search
b148ffe 
Remove the code change in goharbor#8378, because the previous code change caused issues: goharbor#9092, goharbor#9110, goharbor#9326

Signed-off-by: stonezdj <stonezdj@gmail.com>
stonezdj added a commit to stonezdj/harbor that referenced this issue Oct 21, 2019
@stonezdj
Remove the nested group search
0140aaf 
Remove the code change in goharbor#8378, because the previous code change caused issues: goharbor#9092, goharbor#9110, goharbor#9326

Signed-off-by: stonezdj <stonezdj@gmail.com>
@stonezdj stonezdj mentioned this issue Oct 21, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests