This guide provides instructions to manage roles by LDAP/AD group. You can import an LDAP/AD group to Harbor and assign project roles to it. All LDAP/AD users in this LDAP/AD group have assigned roles.
-
Harbor's auth_mode is ldap_auth and basic LDAP configure parameters are configured.
-
Memberof overlay
This feature requires the LDAP/AD server enabled the feature memberof overlay. With this feature, the LDAP/AD user entity's attribute memberof is updated when the group entity's member attribute is updated. For example, adding or removing an LDAP/AD user from the LDAP/AD group.
- OpenLDAP -- Refer this guide to enable and verify memberof overlay
- Active Directory -- this feature is enabled by default.
Besides basic LDAP configure parameters , LDAP group related configure parameters should be configured, they can be configured before or after installation
- Configure LDAP parameters via API, refer to Config Harbor user settings by command line
For example:
curl -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -ki https://harbor.sample.domain/api/configurations -d'{"ldap_group_basedn":"ou=groups,dc=example,dc=com"}'
The following parameters are related to LDAP group configuration.
- ldap_group_basedn -- The base DN from which to lookup a group in LDAP/AD, for example: ou=groups,dc=example,dc=com
- ldap_group_filter -- The filter to search LDAP/AD group, for example: objectclass=groupOfNames
- ldap_group_gid -- The attribute used to name an LDAP/AD group, for example: cn
- ldap_group_scope -- The scope to search for LDAP/AD groups. 0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE
- Or change configure parameter in web console after installation. Go to "Administration" -> "Configuration" -> "Authentication" and change following settings.
- LDAP Group Base DN -- ldap_group_basedn in the Harbor user settings
- LDAP Group Filter -- ldap_group_filter in the Harbor user settings
- LDAP Group GID -- ldap_group_gid in the Harbor user settings
- LDAP Group Scope -- ldap_group_scope in the Harbor user settings
- LDAP Groups With Admin Privilege -- Specify an LDAP/AD group DN, all LDAPA/AD users in this group have harbor admin privileges.
In "Project" -> "Members" -> "+ GROUP".
You can "Add an existing user group to project member" or "Add a group from LDAP to project member".
Once an LDAP group is assigned a project role, log in with an LDAP/AD user in this group, the user should have the privilege of its group role.
If a user is in the LDAP groups with admin privilege (ldap_group_admin_dn), the user should have the same privileges with Harbor admin.
If a user has both user-level role and group-level role, these privileges are merged together.