How to configure LDAP authentication for Harbor in vIC
search cancel

How to configure LDAP authentication for Harbor in vIC


Article ID: 324890


Updated On:


VMware vSphere ESXi


This article provides information on how to configure an LDAP authentication on Harbor in vSphere Integrated Containers (vIC).


VMware vSphere Integrated Containers 1.0.x


A feature of Harbor is to allow users registered in an external LDAP or AD server to log in to the enterprise class private registry.
The LDAP authentication is configured during the Harbor's deployment through the OVA using the Customize template section, after you configured Harbor's storage location and network.

Configuring the LDAP authentication settings for Harbor during deployment

When an user's credentials are verified against an LDAP/AD, Harbor binds to the endpoint server with LDAP Search DN and LDAP Search Password.
If it successes, Harbor looks up the user under the LDAP entry LDAP Base DN including substree.
The attribute (such as uid, cn) specified by LDAP UID is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
To set the LDAP parameters:
On the customize template window, click Authentication and set the parameters mentioned in the following table. There are 7 parameters to set:
Parameter Value
Authentication Mode: By default, it is set to db_auth.
Choose ldap_auth to allow your users from LDAP or AD to log in to Harbor.
Note: This option can only be set once. After the first boot of Harbor, it cannot be possible to change the authentication mode, it will not be considered even if the mode is changed in the VM's settings.
As a workaround, redeploy Harbor with the correct authentication mode.
auth_mod = ldap_auth
Self Registration: Determine whether the self-registration is allowed or not.
Set this to off to disable a user's self-registration in Harbor.
Note: This flag has no effect when users are stored in LDAP or AD.
on or off
LDAP URL: The URL of an LDAP/AD server.
ldap://ip_or_fqdn_ldap_server:389(default) or ldaps://ip_or_fqdn_ldap_server:636 (default)
(if you implemented LDAP over SSL)
LDAP Search DN: A user's DN who has the permission to search the LDAP/AD server.
Leave blank if your LDAP/AD server supports anonymous search, otherwise you should configure this DN and LDAP Search Password.
ldap_searchdn = cn=user_cn, cn=user_accounts_cn, dc=domain_p1, dc=domain_p2 ldap_searchdn = cn=John Doe,cn=Users,dc=mydomain,dc=com
LDAP Search Password: The password of the user for LDAP search.
Leave blank if your LDAP/AD server supports anonymous search.
ldap_search_pwd = user_password
LDAP Base DN: The base DN of a node from which to look up a user for authentication. The search scope includes subtree of the node.ldap_basedn = dc=mydomain,dc=com
LDAP UID: The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD server.ldap_uid = sAMAccountName

Modifying the LDAP authentication settings post deployment

To modify the LDAP authentication settings for Harbor after deployment:
  1. Power off the VM and edit the settings of the VM.
  2. Right-click Harbor VM and go to Edit Settings... > vApp Options.
  3. Select the Enable vApp options check box.
  4. Modify the ldap settings under Application properties - Harbor > Authentication.
  5. When the modifications are complete, start the VM.

Additional Information
Troubleshooting LDAP authentication on Harbor for vIC