harbor/docs/administration/configure-authentication/ldap-auth.md

45 lines
3.6 KiB
Markdown
Raw Normal View History

---
title: Configure LDAP/Active Directory Authentication
2020-02-11 16:24:43 +01:00
weight: 20
---
2019-12-18 16:06:18 +01:00
If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor.
{{< important >}}
You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode.
{{< /important >}}
2019-12-18 16:06:18 +01:00
Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode.
If you want to manage user authentication by using LDAP groups, you must enable the `memberof` feature on the LDAP/AD server. With the `memberof` feature, the LDAP/AD user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify `memberof` overlay in OpenLDAP, see [this technical note](https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay).
2019-12-18 16:06:18 +01:00
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Use the **Auth Mode** drop-down menu to select **LDAP**.
![LDAP authentication](../../../img/select-ldap-auth.png)
2019-12-18 16:06:18 +01:00
1. Enter the address of your LDAP server, for example `ldaps://10.162.16.194`.
1. Enter information about your LDAP server.
- **LDAP Search DN** and **LDAP Search Password**: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, `cn=admin,dc=example.com`.
- **LDAP Base DN**: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, `dc=example.com`.
- **LDAP Filter**: The filter to search for LDAP/AD users. For example, `objectclass=user`.
- **LDAP UID**: An attribute, for example `uid`, or `cn`, that is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
- **LDAP Scope**: The scope to search for LDAP/AD users. Select from **Subtree**, **Base**, and **OneLevel**.
![Basic LDAP configuration](../../../img/ldap-auth.png)
2019-12-18 16:06:18 +01:00
1. If you want to manage user authentication with LDAP groups, configure the group settings.
- **LDAP Group Base DN**: The base DN from which to lookup a group in LDAP/AD. For example, `ou=groups,dc=example,dc=com`.
- **LDAP Group Filter**: The filter to search for LDAP/AD groups. For example, `objectclass=groupOfNames`.
- **LDAP Group GID**: The attribute used to name an LDAP/AD group. For example, `cn`.
- **LDAP Group Admin DN**: All LDAP/AD users in this group DN have Harbor system administrator privileges.
- **LDAP Group Membership**: The user attribute usd to identify a user as a member of a group. By default this is `memberof`.
- **LDAP Scope**: The scope to search for LDAP/AD groups. Select from **Subtree**, **Base**, and **OneLevel**.
![LDAP group configuration](../../../img/ldap-groups.png)
2019-12-18 16:06:18 +01:00
1. Uncheck **LDAP Verify Cert** if the LDAP/AD server uses a self-signed or untrusted certificate.
![LDAP certificate verification](../../../img/ldap-cert-test.png)
2019-12-18 16:06:18 +01:00
1. Click **Test LDAP Server** to make sure that your configuration is correct.
1. Click **Save** to complete the configuration.