After upgrading to Harbor v2.0.3, LDAP authorization is failing.

Symptoms include:
 

• Observed slowness during log in process in the Harbor UI
• Observed slowness during docker push/pull, which usually leads to a timeout error
• Users don't see their Projects, in the Harbor UI
• LDAP warnings/errors are in the /var/vcap/sys/log/harbor/harbor-app-logs/core.log including any of the following:

- [WARNING] [/core/auth/ldap/ldap.go:121]: Can not get the ldap group name with DN <...>
- [ERROR] [/common/utils/ldap/ldap.go:302]: Wrong filter format, filter:()
- [WARNING] [/core/auth/ldap/ldap.go:117]: Can not get the ldap group name with DN <...>, error invalid filter syntax
- [WARNING] [/core/auth/ldap/ldap.go:208]: ldap search group fail: invalid filter syntax
- [WARNING] [/core/auth/ldap/ldap.go:117]: Can not get the ldap group name with DN <...>, error LDAP Result Code 4 "Size Limit Exceeded":

Product Version: 1.8

Workaround

Ensure that the Harbor LDAP Group settings are correctly configured. These are not enforced as required as of v2.0.3 but if they are not set then there will be problems with LDAP Group search during the authorization process. Make sure that the following are set:
 

• LDAP Group Base DN
• LDAP Group Filter
• LDAP Group GID

If the following are already set, and you still get the error:

error LDAP Result Code 4 "Size Limit Exceeded"

Then you would need to enhance the LDAP Group Filter to narrow down the search results.  As a workaround, you can use a filter such as the following that includes all the group names that are needed for your Harbor environment.

(|(cn=cluster-admins)(cn=cluster-managers)(cn=developers)(cn=testgroup))