Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-601

Quay LDAP filter user under BASE DN can't login

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • quay-v3.3.0
    • quay-v3.3.0
    • quay
    • 0

    Description

      Description:
      This is an issue related to LDAP filter, now with correct settings in Quay config-app LDAP, users under specified "Relative DN" can login quay successfully, but the users under BASE DN can't login quay, based on Quay logs, the reason is Quay only lookup user under specified under "Relative DN". See logs sections for reference.

      *Note: *
      Here use Openldap ENV to show this issue.
      Quay logs:

      gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Incoming username or email param: u'bill@redhat.com'
      gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=quay,dc=example,dc=org
      gunicorn-secscan stdout | 2020-04-20 10:47:23,261 [420] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key

      {'host': 'demo-quayecosystem-quay-6594dcf566-wkgsn', 'process_name': 'secscan:application', 'pid': '420'}

      gunicorn-web stdout | 2020-04-20 10:47:23,275 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=usateam,dc=example,dc=org
      gunicorn-secscan stdout | 2020-04-20 10:47:23,316 [418] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key

      {'host': 'demo-quayecosystem-quay-6594dcf566-wkgsn', 'process_name': 'secscan:application', 'pid': '418'}

      gunicorn-web stdout | 2020-04-20 10:47:23,321 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=chinabeijing,dc=example,dc=org
      gunicorn-web stdout | 2020-04-20 10:47:23,368 [410] [DEBUG] [data.users.externalldap] Found matching pairs: []
      gunicorn-web stdout | 2020-04-20 10:47:23,370 [410] [DEBUG] [app] Ending request: urn:request:530a2d5e-5303-45af-aa87-2871e8e9c428 (/api/v1/signin)
      gunicorn-web stdout | 2020-04-20 10:47:23,372 [410] [INFO] [gunicorn.access] 10.128.2.4 - - [20/Apr/2020:10:47:23 +0000] "POST /api/v1/signin HTTP/1.0" 403 95 "https://demo-quayecosystem-quay-quay-enterprise.apps.lzha0421.qe.azure.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0"

      Expected Results:
      The users under BASE DN can login quay successfully.

      Actual Results:
      The users under BASE DN can NOT login quay successfully.

      Attachments

        1. LDAP config.png
          LDAP config.png
          558 kB
        2. MS AD LDAP config.png
          MS AD LDAP config.png
          640 kB
        3. MS LDAP config2.png
          MS LDAP config2.png
          1.05 MB
        4. Quay config app.png
          Quay config app.png
          304 kB

        Activity

          People

            jschorr Joseph Schorr (Inactive)
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: