Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-04 17:49:48 +01:00
Code Issues Projects Releases Wiki Activity
e8ab7156bc
harbor/docs/manage_role_by_ldap_group.md
Brett Johnson 18e76c963d Documentation typo correction 
Signed-off-by: Brett Johnson <brett@sdbrett.com>

Date:      Mon Oct 8 08:41:37 2018 +1100

On branch docs
Changes to be committed:
	modified:   docs/compile_guide.md
	modified:   docs/installation_guide.md
	modified:   docs/kubernetes_deployment.md
	modified:   docs/manage_role_by_ldap_group.md
	modified:   docs/migration_guide.md
	modified:   docs/upgradetest.md
	modified:   docs/use_notary.md
	modified:   docs/user_guide.md
2018-10-08 08:45:10 +11:00

3.1 KiB
Raw Blame History

Introduction

This guide provides instructions to manage roles by LDAP/AD group. You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.

Prerequisite

  1. Harbor's auth_mode is ldap_auth and basic LDAP configure paremters are configured.

  2. Memberof overlay

    This feature requires the LDAP/AD server enabled the feature memberof overlay. With this feature, the LDAP/AD user entity's attribute memberof is updated when the group entity's member attribute is updated. For example, adding or removing an LDAP/AD user from the LDAP/AD group.

    • OpenLDAP -- Refer this guide to enable and verify memberof overlay
    • Active Directory -- this feature is enabled by default.

Configure LDAP group settings

Besides basic LDAP configure parameters , LDAP group related configure parameters should be configured, they can be configured before or after installation

  1. Configure parameters in harbor.cfg before installation
  • ldap_group_basedn -- The base DN from which to lookup a group in LDAP/AD, for example: ou=groups,dc=example,dc=com
  • ldap_group_filter -- The filter to search LDAP/AD group, for example: objectclass=groupOfNames
  • ldap_group_gid -- The attribute used to name an LDAP/AD group, for example: cn
  • ldap_group_scope -- The scope to search for LDAP/AD groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
  1. Or Change configure parameter in web console after installation. Go to "Administration" -> "Configuration" -> "Authentication" and change following settings.
  • LDAP Group Base DN -- ldap_group_basedn in harbor.cfg
  • LDAP Group Filter -- ldap_group_filter in harbor.cfg
  • LDAP Group GID -- ldap_group_gid in harbor.cfg
  • LDAP Group Scope -- ldap_group_scope in harbor.cfg
  • LDAP Groups With Admin Privilege -- Specify an LDAP/AD group DN, all LDAPA/AD users in this group have harbor admin privileges.

Screenshot of LDAP group config

Assign project role to LDAP/AD group

In "Project" -> "Members" -> "+ GROUP".

Screenshot of add group

You can "Add an existing user group to project member" or "Add a group from LDAP to project member".

Screenshot of add group dialog

Once an LDAP group is assigned a project role, log in with an LDAP/AD user in this group, the user should have the privilege of its group role.

If a user is in the LDAP groups with admin privilege (ldap_group_admin_dn), the user should have the same privileges with Harbor admin.

User privileges and group privileges

If a user has both user-level role and group-level role, only the user level role privileges will be considered.