Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
quay-v3.3.0
-
0
Description
Description:
This is an issue related to LDAP filter, now with correct settings in Quay config-app LDAP, users under specified "Relative DN" can login quay successfully, but the users under BASE DN can't login quay, based on Quay logs, the reason is Quay only lookup user under specified under "Relative DN". See logs sections for reference.
*Note: *
Here use Openldap ENV to show this issue.
Quay logs:
gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Incoming username or email param: u'bill@redhat.com'
gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=quay,dc=example,dc=org
gunicorn-secscan stdout | 2020-04-20 10:47:23,261 [420] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key
gunicorn-web stdout | 2020-04-20 10:47:23,275 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=usateam,dc=example,dc=org
gunicorn-secscan stdout | 2020-04-20 10:47:23,316 [418] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key
gunicorn-web stdout | 2020-04-20 10:47:23,321 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=chinabeijing,dc=example,dc=org
gunicorn-web stdout | 2020-04-20 10:47:23,368 [410] [DEBUG] [data.users.externalldap] Found matching pairs: []
gunicorn-web stdout | 2020-04-20 10:47:23,370 [410] [DEBUG] [app] Ending request: urn:request:530a2d5e-5303-45af-aa87-2871e8e9c428 (/api/v1/signin)
gunicorn-web stdout | 2020-04-20 10:47:23,372 [410] [INFO] [gunicorn.access] 10.128.2.4 - - [20/Apr/2020:10:47:23 +0000] "POST /api/v1/signin HTTP/1.0" 403 95 "https://demo-quayecosystem-quay-quay-enterprise.apps.lzha0421.qe.azure.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0"
Expected Results:
The users under BASE DN can login quay successfully.
Actual Results:
The users under BASE DN can NOT login quay successfully.