Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-601

Quay LDAP filter user under BASE DN can't login

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • quay-v3.3.0
    • quay-v3.3.0
    • quay
    • 0

      Description:
      This is an issue related to LDAP filter, now with correct settings in Quay config-app LDAP, users under specified "Relative DN" can login quay successfully, but the users under BASE DN can't login quay, based on Quay logs, the reason is Quay only lookup user under specified under "Relative DN". See logs sections for reference.

      *Note: *
      Here use Openldap ENV to show this issue.
      Quay logs:

      gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Incoming username or email param: u'bill@redhat.com'
      gunicorn-web stdout | 2020-04-20 10:47:23,228 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=quay,dc=example,dc=org
      gunicorn-secscan stdout | 2020-04-20 10:47:23,261 [420] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key

      {'host': 'demo-quayecosystem-quay-6594dcf566-wkgsn', 'process_name': 'secscan:application', 'pid': '420'}

      gunicorn-web stdout | 2020-04-20 10:47:23,275 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=usateam,dc=example,dc=org
      gunicorn-secscan stdout | 2020-04-20 10:47:23,316 [418] [DEBUG] [util.metrics.prometheus] pushed registry to pushgateway at http://localhost:9091 with grouping key

      {'host': 'demo-quayecosystem-quay-6594dcf566-wkgsn', 'process_name': 'secscan:application', 'pid': '418'}

      gunicorn-web stdout | 2020-04-20 10:47:23,321 [410] [DEBUG] [data.users.externalldap] Conducting user search: (&(|(mail=bill@redhat.com)(uuid=bill@redhat.com))(objectClass=*)) under ou=chinabeijing,dc=example,dc=org
      gunicorn-web stdout | 2020-04-20 10:47:23,368 [410] [DEBUG] [data.users.externalldap] Found matching pairs: []
      gunicorn-web stdout | 2020-04-20 10:47:23,370 [410] [DEBUG] [app] Ending request: urn:request:530a2d5e-5303-45af-aa87-2871e8e9c428 (/api/v1/signin)
      gunicorn-web stdout | 2020-04-20 10:47:23,372 [410] [INFO] [gunicorn.access] 10.128.2.4 - - [20/Apr/2020:10:47:23 +0000] "POST /api/v1/signin HTTP/1.0" 403 95 "https://demo-quayecosystem-quay-quay-enterprise.apps.lzha0421.qe.azure.devcluster.openshift.com/repository/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0"

      Expected Results:
      The users under BASE DN can login quay successfully.

      Actual Results:
      The users under BASE DN can NOT login quay successfully.

        1. LDAP config.png
          558 kB
          luffy zhang
        2. MS AD LDAP config.png
          640 kB
          luffy zhang
        3. MS LDAP config2.png
          1.05 MB
          luffy zhang
        4. Quay config app.png
          304 kB
          luffy zhang

            jschorr Joseph Schorr (Inactive)
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: