Troubleshooting LDAP authentication on Harbor for vIC
Article ID: 340350
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides information to troubleshoot LDAP authentication on Harbor.
Harbor is an enterprise class private registry, part of vSphere Integrated Containers 1.0 (vIC).
Note: For more information, see vmware / harbor.
Symptoms:
- When attempting to login to the UI with user's credentials from AD/LDAP, the following message appears in red:
Username or password is incorrect
- In the /var/log/harbor/YYYY-MM-DD/ui.log file, you see entries similar to:
[DEBUG] [ldap.go:72]: Bind search dn errorLDAP::Bind() error (-1) : Can't contact LDAP server
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Bind() error (-1) : Can't contact LDAP server
[DEBUG] [ldap.go:72]: Bind search dn errorLDAP::Bind() error (49) : Invalid credentials
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Bind() error (49) : Invalid credentials
LDAP::Search() error : 32 (No such object)
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Search() error : 32 (No such object)
[DEBUG] [ldap.go:84]: one or more filter(sAMAccountNdame=jdoe)
[WARNING] Not found an entry.
Environment
VMware vSphere Integrated Containers 1.0.x
Resolution
Important files and locations
| Location | Description |
| /harbor/harbor.cfg | Configuration file of Harbor |
| /var/log/harbor/firstboot.log | Display the Harbor's status after the first boot |
| /var/log/harbor/subsequentboot.log | Display the Harbor's status after the last reboot of the VM |
| /var/log/YYYY-MM-DD/ui.log | Logs generated by the Harbor's UI service |
Troubleshooting process
| Known Errors in ui.log | Resolution |
|
[DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth
[DEBUG] [ldap.go:53]: ldapURL:ldap://ldap_ip_or_fqdn:389
[DEBUG] [ldap.go:64]: baseDn:cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:68]: Search DN: cn=John Doe,cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:72]: Bind search dn errorLDAP::Bind() error (-1) : Can't contact LDAP server
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Bind() error (-1) : Can't contact LDAP server
|
Check if the AD/LDAP endpoint is reachable from Harbor.
|
|
[DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth
[DEBUG] [ldap.go:53]: ldapURL:ldap://ldap_ip_or_fqdn:389
[DEBUG] [ldap.go:64]: baseDn:cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:68]: Search DN: cn=John Doe,cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:72]: Bind search dn errorLDAP::Bind() error (49) : Invalid credentials
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Bind() error (49) : Invalid credentials
|
Check if the user's credentials exist in the ldap database.
Check if Search DN is correct. Queries with ldapsearch from a Linux machine, ldap.exe on AD and so on.
Example to test the connectivity to the ldap endpoint and capability to retrieve data:
From a linux machine:
ldapsearch \
-x -hldap_ip_or_fqdn\
-D <username_allowed_to_query_ldap>@<yourdomain.com> \
-w <username_allowed_password> \
-b dc=<yourdomain>,dc=<com> \
-s sub '(cn=<user_cn_that_you_look_for>)' dn cn email sAMAccountName
From a Windows machine command line:
dsquery user -name your_username
Example:
dsquery user -name John*
|
|
[DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth
[DEBUG] [ldap.go:53]: ldapURL:ldap://ldap_ip_or_fqdn:389
[DEBUG] [ldap.go:64]: baseDn:cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:68]: Search DN: cn=John Doe,cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:84]: one or more filter(sAMAccountName=jdoe)
LDAP::Search() error : 32 (No such object)
[ERROR] [base.go:186]: Error occurred in UserLogin: LDAP::Search() error : 32 (No such object)
|
Check if Base DN are correct. Queries with the ldapsearch, ldap.exe on AD and so on.
Example to test the connectivity to the ldap endpoint and capability to retrieve data:
From a Linux machine:
ldapsearch \
-x -hldap_ip_or_fqdn\
-D <username_allowed_to_query_ldap>@<yourdomain.com> \
-w <username_allowed_password> \
-b dc=<yourdomain>,dc=<com> \
-s sub '(cn=<user_cn_that_you_look_for>)' dn cn email sAMAccountName
From a Windows machine command line:
dsquery user -nameyour_username
eg:</u> dsquery user -name John*
|
|
[DEBUG] [authenticator.go:57]: Current AUTH_MODE is ldap_auth
[DEBUG] [ldap.go:53]: ldapURL:ldap://ldap_ip_or_fqdn:389
[DEBUG] [ldap.go:64]: baseDn:cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:68]: Search DN: cn=John Doe,cn=Users,dc=mydomain,dc=com
[DEBUG] [ldap.go:84]: one or more filter(sAMAccountNdame=jdoe)
[WARNING] Not found an entry.
|
Check if the username used reflects to the ldap_uid
Check if he ldap_scoop is deep enough to reach the entry
ldap_scope = 1 for the least scope to search for users. ldap_scope = 3 for the deepest scope to search for users. |
| [DEBUG] [ldap.go:53]: ldapURL:ldap://ldap_ip_or_fqdn:389 [DEBUG] [ldap.go:64]: baseDn:cn=Users,dc=mydomain,dc=com [DEBUG] [ldap.go:68]: Search DN: cn=John Doe,cn=Users,dc=mydomain,dc=com [DEBUG] [ldap.go:84]: one or more filter(sAMAccountName=jdoe) [DEBUG] [ldap.go:109]: found entry:{<nil> <nil> 0 <nil> CN=John Doe,CN=Users,DC=mydomain,DC=com[{cn [John Doe]} {mail [[email protected]]}]} |
Check if the email address of the user that you are using to log into the web interface is already used by an user in Harbor.
If yes, change these two email addresses. |
Collecting the logs for diagnostic purpose:
To collect the logs:
- Log in to the Harbor appliance or with an SSH connection, and run the this command:
/harbor/script/collect.sh
Output of this command:
harbor_logs.tar.gz is generated in current directory - Copy the generated file to a different host and upload the information for VMware to get a diagnostic.
scp ./harbor_logs.tar.gz <your_username>@<remote_host_fqdn_or_ip>: </path_where_you_want_to_copy_the_file> - Copy harbor.cfg file to the same host and send it to VMware:
scp /harbor/harbor.cfg <your_username>@<remote_host_fqdn_or_ip>:</path_where_you_want_to_copy_the_file>
For more information, see Uploading diagnostic information for VMware (1008525).
Feedback
Yes
No
Powered by
