Harbor: Searching nested groups in wrong basedn

Created on 7 Oct 2019 · 4Comments · Source: goharbor/harbor

Expected behavior and actual behavior:
Actual behavior:
"Searching for nested groups" searches in LDAP Base DN.
This is very slow in our environment, search query "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=e-Martin.Balint,OU=Users,OU=xxx,DC=yyy,DC=zzz,DC=net))" takes 15 seconds.

We are using Active Directory.

Expected behavior:
It should search in LDAP Group Base DN
Same query takes 2 seconds

Steps to reproduce the problem:
Setup LDAP authentication

Versions:

harbor version: [1.9.0]
docker engine version: [18.09.6]

areldap targe1.9.2

Source

martinbalint

👍5

Most helpful comment

I have the same problem. After upgrading to Harbor 1.9.0 the login isn't possible anymore, because of this ldap query which times out.
I compared the debug core.log with the previous version 1.8.2 and noticed that this ldap query is only executed in Harbor 1.9.0. The issue seems to be introduced with the PR #8378
To get the login working again, we would need an option to disable this query.

Mr-iX on 10 Oct 2019

👍6

All 4 comments

It seems that the nested group search very slow and sometimes return errors, we will create a configure option to enable/disable nested groups. do you use nested group?

stonezdj on 10 Oct 2019

Mr-iX on 10 Oct 2019

👍6

Same here. Harbor 1.9.0 LDAP based Login doesn't work anymore.

jomeier on 10 Oct 2019

👍2

do you use nested group?

We do not need nested groups in our environment.
But basically the issue with speed seems to be with basedn, where those nested groups are searched in. If you use groupbasedn instead if basedn, it is 10x faster here.

martinbalint on 10 Oct 2019

Was this page helpful?

0 / 5 - 0 ratings