Unable to provide CA for LDAP server

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.

https://goharbor.io

Apache License 2.0

24.27k stars 4.77k forks source link

Unable to provide CA for LDAP server #14704

Open mattdowdell opened 3 years ago

mattdowdell commented 3 years ago

Expected behavior and actual behavior:

I have a LDAP server that supports ldaps, but uses a certificate derived from an internal CA. I'd like to be able to tell harbor to use that CA when connection to LDAP, but am unable to find documentation suggesting this is supported/possible. Instead, the recommendation is to simply disable TLS verification which works but isn't ideal.

If I've simply overlooked documentation for configuring this, I'm happy to be proved wrong :)

Steps to reproduce the problem:

Use LDAP server with certificate from internal CA.
Find yourself unable to verify that certificate.

Versions: Please specify the versions of following systems.

harbor version: 2.0.0
docker engine version: 20.10.5
docker-compose version: 1.26.2

Additional context:

Harbor config files: N/A
Log files: N/A

Potential duplicate(s): #9396

stonezdj commented 3 years ago

After installed the Harbor, there is a directory under common/config/shared/trust-certificates Copy the LDAP certificate, for example, ldap_ca.crt to this directory and restart the Harbor, The certificate is added to the trust store of the core container, and then you could enable “Verify Cert” in the LDAP configuration.

mattdowdell commented 3 years ago

Thanks for the tip, I think that solves the immediate problem :)

However, it looks like this directory is created during the install process and feels more of an internal implementation detail than officially supported/documented. Would it be possible to add something to the harbor.yml config file to make it more user friendly and discoverable in a future release?

grafra commented 2 years ago

I have the same problem. I am trying to use our companies AD server as LDAP server with harbor 2.4.

I think it would be nice to have a possibility to configure this in some way or have at least mentioned in the documentation.

grafra commented 2 years ago

I copied a file with the certificate of the AD server into the directory common/config/shared/trust-certificates. Then I selected the checkbox LDAP Verify Certificate. It worked.

However only the second time I tried. The first time i used ./install to restart harbor and this removed the certificate again.

github-actions[bot] commented 2 years ago

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

jdehaan commented 1 year ago

I also think the best way to deal with the issue:

[ ] Provide a setting for adding custom CA certificates to harbor.yml
[ ] Let install and prepare scripts handle the copy of these CAs into common/config/shared/trust-certificates

The main pitfall is to forget to copy over the files again AFTER running a prepare... (I patched the prepare script to do that for my setup as a workaround)

stonezdj commented 1 week ago

You can try this way: configure the ca.crt path to the ca_bundle of the storage_service, then it will be trusted by all Harbor containers. see https://github.com/goharbor/harbor/blob/main/make/harbor.yml.tmpl#L70C1-L73C15