Harbor: LDAP Search failing during nested group search with "Bad search filter"

Created on 16 Sep 2019 · 14Comments · Source: goharbor/harbor

Trying to setup Harbor LDAP authentication, and running into an issue that I'm not sure I understand.

Here's my configuration values:

Key | Value
------------ | -------------
Auth Mode | LDAP
LDAP URL | ldap://oururl:389
LDAP Search DN | blank
LDAP Search Password | blank
LDAP Base DN | ou=people,dc=company,dc=local
LDAP Filter | blank
LDAP UID | uid
LDAP Scope | OneLevel
LDAP Group Base DN | ou=groups,dc=company,dc=local
LDAP Group Filter | blank
LDAP Group GID | cn
LDAP Group Admin DN | blank
LDAP Group Membership | memberOf
LDAP Group Scope | OneLevel
LDAP Verify Certificate | checked

When my users log in, the logs show this:

2019-09-16T20:42:30Z [DEBUG] [/common/dao/user.go:277]: Check if user myusername is super user
2019-09-16T20:42:30Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-09-16T20:42:30Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_search_dn, error: the configure value is not set
2019-09-16T20:42:30Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:363]: ldap filter :(uid=myusername)
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(uid=myusername)
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:1
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group1,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group2,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group3,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group4,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group5,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group6,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:218]: Found memberof cn=group7,ou=groups,dc=company,dc=local
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:224]: Searching for nested groups
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: memberOf
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=uid=myusername,ou=people,dc=company,dc=local))
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:0
2019-09-16T20:42:30Z [DEBUG] [/common/utils/ldap/ldap.go:336]: LDAP search errorLDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-16T20:42:30Z [WARNING] [/core/auth/ldap/ldap.go:65]: ldap search fail: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-16T20:42:30Z [ERROR] [/core/controllers/base.go:108]: Error occurred in UserLogin: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter

Is there another setting we could be using that would make this work? The search appears to work just fine for finding the user, and finding the groups, but not on the final nested groups search. We also don't use nested groups - would that be something we could config to off?

Harbor Version v1.9.0-76f15806

Source

charlottestjohn

👍1

Most helpful comment

I've built an image with the nested group code commented out. If you're brave enough to give it a try, replace the image spec in your docker-compose.yml:

  core:
    image: nilsc/harbor-core:v1.9.0

CoaxVex on 1 Oct 2019

👍2

All 14 comments

What's also mildly interesting, is that when I change the key values to below, I get the same issues, even to the point where the nested search filter uses ou=people, even though I've deleted ou=people from the LDAP Base DN

Key | Value
------------ | -------------
Auth Mode | LDAP
LDAP URL | ldap://oururl:389
LDAP Search DN | blank
LDAP Search Password | blank
LDAP Base DN | dc=company,dc=local
LDAP Filter | objectclass=person
LDAP UID | uid
LDAP Scope | OneLevel
LDAP Group Base DN | ou=groups,dc=company,dc=local
LDAP Group Filter | blank
LDAP Group GID | cn
LDAP Group Admin DN | blank
LDAP Group Membership | memberOf
LDAP Group Scope | OneLevel
LDAP Verify Certificate | checked

charlottestjohn on 16 Sep 2019

And I have tried with LDAP Scope and LDAP Group Scope at Base, Subtree, and OneLevel

charlottestjohn on 16 Sep 2019

Hello, I too have this error when trying to integrate with ldap on free-ipa.

results in (regardless of scope-settings):

the error seems tied to the first LDAP filter setting.

harbor Version v1.9.0-d13cf448

mfld on 17 Sep 2019

It seems this issue related to the PR #8378, the nest group filter doesn't work in some LDAP server

stonezdj on 19 Sep 2019

Is this going to be fixed? We are also running into this problem with Free IPA. Is there a workaround?

jniewt on 19 Sep 2019

Hi,

Same bug here with 1.9.0 was working in 1.8.x
(I don't use group)

Poil on 19 Sep 2019

Is there a simple way to downgrade Harbor? It always tries to run the database migration scripts, which don't exist. Perhaps a scary, long CLI flag can be added to aid in these situations.

I'm trying not to cry, but this broke production for us.

zhaofengli on 19 Sep 2019

👍1

It looks like an AD specific search has been added:

https://github.com/goharbor/harbor/commit/51eb8bc60fd82efb339755cd84db44f0585143f5#diff-10b1fa8fc186f561edae8dc96ac6cc39

Correct me if I'm wrong, but 1.2.840.113556.1.4.1941 is an AD specific matching rule and there should be no expectation for FreeIPA or 389DS to support it:

https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN

Are there any plans to turn off this search for LDAP servers that aren't AD?

hanswu23 on 20 Sep 2019

Same issue here with OpenLDAP:

gunboe on 21 Sep 2019

Hello.

Same issue here with Oracle DS.
It was working with version 1.8.1.

2019-09-27T14:33:35Z [DEBUG] [/common/dao/user.go:269]: Check if user elevesque is super user
2019-09-27T14:33:35Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-09-27T14:33:35Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-09-27T14:33:35Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_filter, error: the configure value is not set
2019-09-27T14:33:35Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-09-27T14:33:35Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:363]: ldap filter :(uid=elevesque)
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: uniqueMember
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(uid=elevesque)
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:1
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:224]: Searching for nested groups
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:299]: Membership attribute: uniqueMember
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:315]: Search ldap with filter:(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951, ou=Persons,dc=cegetel,dc=org))
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:330]: Found entries:0
2019-09-27T14:33:35Z [DEBUG] [/common/utils/ldap/ldap.go:336]: LDAP search errorLDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-27T14:33:35Z [WARNING] [/core/auth/ldap/ldap.go:65]: ldap search fail: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter
2019-09-27T14:33:35Z [ERROR] [/core/controllers/base.go:107]: Error occurred in UserLogin: LDAP Result Code 12 "Unavailable Critical Extension": Bad search filter

With ldapsearch.

[eric@macross ~]$ ldapsearch -h oururl -p 389 -x -D "uid=*,ou=*,dc=*,dc=*" -b "ou=applications,dc=*,dc=*" "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951,ou=Persons,dc=*,dc=*))"
# extended LDIF
#
# LDAPv3
# base <ou=applications,dc=*,dc=*> with scope subtree
# filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:=PerId=99951,ou=Persons,dc=*,dc=*))
# requesting: ALL
#

# search result
search: 2
result: 12 Critical extension is unavailable
text: Bad search filter

# numResponses: 1

[eric@macross ~]$ ldapsearch -h oururl -p 389 -x -D "uid=*,ou=*,dc=*,dc=*" -b "ou=applications,dc=*,dc=*" "(&(objectClass=group)(PerId=99951,ou=Persons,dc=*,dc=*))"
# extended LDIF
#
# LDAPv3
# base <ou=applications,dc=*,dc=*> with scope subtree
# filter: (&(objectClass=group)(PerId=99951, ou=Persons,dc=*,dc=*))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

elevesque-sfr on 30 Sep 2019

I've built an image with the nested group code commented out. If you're brave enough to give it a try, replace the image spec in your docker-compose.yml:

  core:
    image: nilsc/harbor-core:v1.9.0

CoaxVex on 1 Oct 2019

👍2

It works.

2019-10-01T21:29:59Z [DEBUG] [/common/dao/user.go:269]: Check if user elevesque is super user
2019-10-01T21:29:59Z [DEBUG] [/core/auth/authenticator.go:139]: Current AUTH_MODE is ldap_auth
2019-10-01T21:29:59Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-10-01T21:29:59Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_filter, error: the configure value is not set
2019-10-01T21:29:59Z [DEBUG] [/common/config/store/driver/db.go:43]: failed to get metadata, key:http_authproxy_always_onboard, error:<nil>, skip to load item
2019-10-01T21:29:59Z [ERROR] [/common/config/manager.go:192]: failed to get key ldap_group_admin_dn, error: the configure value is not set
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:365]: ldap filter :(uid=elevesque)
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:301]: Membership attribute: uniqueMember
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:317]: Search ldap with filter:(uid=elevesque)
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:332]: Found entries:1
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: uid
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: cn
2019-10-01T21:29:59Z [DEBUG] [/common/utils/ldap/ldap.go:203]: Current ldap entry attr name: mail
2019-10-01T21:29:59Z [DEBUG] [/core/auth/ldap/ldap.go:76]: Found ldap user {Username:elevesque Email:[email protected] Realname:Eric LEVESQUE DN:PerId=99951, ou=Persons,dc=*,dc=* GroupDNList:[]}

Screenshot from 2019-10-01 23-35-40