How to configure LDAP authentication for Harbor in vIC
Article ID: 324890
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides information on how to configure an LDAP authentication on Harbor in vSphere Integrated Containers (vIC).
Environment
VMware vSphere Integrated Containers 1.0.x
Resolution
A feature of Harbor is to allow users registered in an external LDAP or AD server to log in to the enterprise class private registry.
The LDAP authentication is configured during the Harbor's deployment through the OVA using the Customize template section, after you configured Harbor's storage location and network.
Configuring the LDAP authentication settings for Harbor during deployment
When an user's credentials are verified against an LDAP/AD, Harbor binds to the endpoint server with LDAP Search DN and LDAP Search Password.
If it successes, Harbor looks up the user under the LDAP entry LDAP Base DN including substree.
The attribute (such as uid, cn) specified by LDAP UID is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
To set the LDAP parameters:
On the customize template window, click Authentication and set the parameters mentioned in the following table. There are 7 parameters to set:
| Parameter | Value |
| Authentication Mode: By default, it is set to db_auth. Choose ldap_auth to allow your users from LDAP or AD to log in to Harbor. Note: This option can only be set once. After the first boot of Harbor, it cannot be possible to change the authentication mode, it will not be considered even if the mode is changed in the VM's settings. As a workaround, redeploy Harbor with the correct authentication mode. | auth_mod = ldap_auth |
| Self Registration: Determine whether the self-registration is allowed or not. Set this to off to disable a user's self-registration in Harbor. Note: This flag has no effect when users are stored in LDAP or AD. | on or off |
| LDAP URL: The URL of an LDAP/AD server. | ldap://ip_or_fqdn_ldap_server:389(default) or ldaps://ip_or_fqdn_ldap_server:636 (default) (if you implemented LDAP over SSL) |
| LDAP Search DN: A user's DN who has the permission to search the LDAP/AD server. Leave blank if your LDAP/AD server supports anonymous search, otherwise you should configure this DN and LDAP Search Password. | ldap_searchdn = cn=user_cn, cn=user_accounts_cn, dc=domain_p1, dc=domain_p2 ldap_searchdn = cn=John Doe,cn=Users,dc=mydomain,dc=com |
| LDAP Search Password: The password of the user for LDAP search. Leave blank if your LDAP/AD server supports anonymous search. | ldap_search_pwd = user_password |
| LDAP Base DN: The base DN of a node from which to look up a user for authentication. The search scope includes subtree of the node. | ldap_basedn = dc=mydomain,dc=com |
| LDAP UID: The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD server. | ldap_uid = sAMAccountName |
Modifying the LDAP authentication settings post deployment
To modify the LDAP authentication settings for Harbor after deployment:
- Power off the VM and edit the settings of the VM.
- Right-click Harbor VM and go to Edit Settings... > vApp Options.
- Select the Enable vApp options check box.
- Modify the ldap settings under Application properties - Harbor > Authentication.
- When the modifications are complete, start the VM.
Additional Information
Feedback
Yes
No
Powered by
