LDAP users with the same email address cannot be added to a Harbor access group
Article ID: 316819
Updated On:
Products
Issue/Introduction
Symptoms:
- You are unable to login to Harbor as a newly added LDAP group user.
- You are unable to add Harbor LDAP user access even when the LDAP user is part of a known working access group in Harbor and Active Directory.
- The LDAP user in question has an email address in use by another LDAP user who has already logged in to Harbor.
- The LDAP user in active directory has the same email address in the email field as another user cached in the Harbor database.
- You see messages similar to the following in the /var/log/harbor/core.log file on the Harbor VM:
Jan 5 16:21:16 ###.##.#.# core[6020]: 2020-01-05T16:21:16Z [ERROR] [/core/controllers/base.go:109]: Error occurred in UserLogin: pq: duplicate key value violates unique constraint "harbor_user_email_key"
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
Resolution
This is by design. The Harbor database schema uses the Active Directory email field as a Key Value and will not cache or add a user with the same email value as a previously cached LDAP user.
Workaround:
If the old user with the same email address is no longer accessing Harbor you can remove the user from the Harbor database cache. This will not permanently resolve the issue if the removed user is going to continue to access Harbor though.
Contact Support for assistance in removing the old user.
Additional Information
Note: If vRealize Log Insight is enabled on Harbor at Harbor Tile -> Logging then the logs will not be stored on the Harbor VM at /var/log/harbor/core.log. To view the logs you will have to disable vRLI temporarily and apply changes for Harbor VM in OpsMan and review them in vRealize Log Insight
Feedback
