Hi All, I would like to know if Harbor 1.2.X supports LDAP groups, for example I need to assign develor role to a ldap group, any idea ?
Thanks.
roldancer
All 11 comments
@roldancer
I think what you asking for is mapping an LDAP group to a "project"?
reasonerjt
on 25 Aug 2017
I had the same question from my colleagues when I was showing them the harbor :-) Mapping of LDAP groups to roles in project could be very useful and simplify the management of the project.
c6opuc
on 25 Aug 2017
Hi I mean to map ldap groups to a role for a specific project.
Thanks.
roldancer
on 25 Aug 2017
@reasonerjt Managing User Access Control in a large organization is made via LDAP Groups, this feature for us is very important.
roldancer
on 28 Aug 2017
Yep that would be nice. I was already talking about that in #1305 btw.
It4lik
on 29 Aug 2017
Hi @reasonerjt do you know when LDAP group will be supported in Harbor?
Could you please put this feature in the Harbor's roadmap ?
Many thanks.
roldancer
on 5 Sep 2017
As I also mentioned on #1305 (https://github.com/vmware/harbor/issues/1305#issuecomment-327506379), it is a very common pattern to define groups in a single place to manage many access permissions to many places in just one list.
That said, one of the most common ways to achieve this is to have those groups as LDAP groups, so they are managed centrally, at a single place, in a way independent of which systems you need to be granted permissions to (and even by a different department, when needed).
Many people (including me) are very used to manage centralized permission grants via LDAP groups, so both this request and #1305 (which would be a prerequisite for this) are strong requirements for many companies. Not being able to use LDAP groups for permissions can even be a reason for an IT risk department to ban the use of a software on some very strict companies.
palonsoro
on 6 Sep 2017
To support the feature, we need to allow assignment of role to a group in LDAP.
@roldancer In your environment, is the group in LDAP specified by a DN, or just a normal name like devGroupForProjectA ?
hainingzhang
on 16 Sep 2017
Hi @hainingzhang we use the normal name "devGroupForProjectA".
Thanks.
roldancer
on 18 Sep 2017
Hi @hainingzhang Is there any update on this issue ?
jakirpatel
on 14 Jun 2018
@jakirpatel
It's WIP:
https://github.com/vmware/harbor/issues/3506
reasonerjt
on 14 Jun 2018
Related issues
protochron
路
3Comments
moooofly
路
3Comments
Hotege
路
3Comments
Poil
路
3Comments
cedvan
路
3Comments
Most helpful comment
As I also mentioned on #1305 (https://github.com/vmware/harbor/issues/1305#issuecomment-327506379), it is a very common pattern to define groups in a single place to manage many access permissions to many places in just one list.
That said, one of the most common ways to achieve this is to have those groups as LDAP groups, so they are managed centrally, at a single place, in a way independent of which systems you need to be granted permissions to (and even by a different department, when needed).
Many people (including me) are very used to manage centralized permission grants via LDAP groups, so both this request and #1305 (which would be a prerequisite for this) are strong requirements for many companies. Not being able to use LDAP groups for permissions can even be a reason for an IT risk department to ban the use of a software on some very strict companies.