Improve LDAP auth

[creker]

Is your feature request related to a problem? Please describe. Harbor is configured with LDAP auth. Harbor doesn't proactively fetch users from LDAP. Instead it fetches user data only when someone logs in. This brings me to the problem itself. When adding users to projects I would expect Harbor to give me suggestions of existing users while I type. Instead I have to specify user name exactly and hope it does exist. At least it seems like Harbor does allow you to add users that didn't logged in previously.

Describe the solution you'd like I'd like Harbor to give suggestions of users that I can add while I type their username. How's that implemented is not really important. Harbor could periodically fetch all users from LDAP into its internal database and use that data for suggestions. Or it could fetch users from LDAP while I type and give suggestions from that.

Another related improvement would be to allow getting suggestions while typing first or last name instead of username.

[stonezdj]

Harbor can not fetch all LDAP usernames into the Harbor, it will bring performance side effects to both Harbor and LDAP server.

Verified on latest Harbor. If an LDAP user doesn't exist, add it to the project member fails

If the LDAP user is a valid user, but never login to Harbor, add it (by username) to the project member success and the user is onboard to Harbor automatically, the user don't have to login first.

[creker]

@stonezdj fetching all LDAP users is standard practice across many enterprise software. Vmware itself does it with its vcenter LDAP integration. Same for atlassian products, zimbra and probably many many others. It's better that way precisely like I mentioned - it gives administrator ability to control user privilages, group memebership and other stuff without waiting until the user logs in. Especially when you have complex LDAP filters and otherwise can't be sure that it works properly. It's good that Harbor at least allows adding users before they log in but that's still not very user friendly. That's where suggestions would really help.

I'm not sure why would it bring performance side effects. Fetching LDAP users from LDAP server is its whole purpose. Give administrator ability to adjust fetching period and no one will even notice. Same for Harbor. Fetching users is fairly lightweight task both for Harbor and its database.

[creker]

Just found out the same trick doesn't work with groups. Harbor doesn't allow adding groups to projects that are not in its internal database. In this case I will have to wait until user logs in and Harbor syncs their groups. I was thinking about using API method ldap/users/import to simulate periodic fetching of all LDAP users. It works but Harbor doesn't fetch groups and group membership. It looks like this is only done when user authenticates.

Actually, it looks like all my issues could be solved with a simple change. Allow Harbor to sync both users and groups when calling ldap/users/import. That would populate its database with all the users and groups and then Harbor would be able to give proper suggestions when typing username.

[stonezdj]

For ldap group, you could add it as project member via Ldap group DN when it is not onboard in Harbor.

[creker]

Thanks, didn't know that. I ended up creating small project https://github.com/creker/harbor_ldap_sync that sits in cron and syncs all LDAP users and groups into harbor. Still, it would be better if Harbor did that out of the box some way or another.

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[michellabbe]

If the LDAP user is a valid user, but never login to Harbor, add it (by username) to the project member success and the user is onboard to Harbor automatically, the user don't have to login first.

Intuitively I would expect to be able to add another user as global admin, using the "New user" button in the Administration / Users page, but the button is greyed out (v2.5.0) when auth is LDAP. It's quite annoying to have to ask users to logon first before you can assign them rights.

I just figured out after reading this that, as a workaround, you can add a non-existing user as member to a project, and then you can set him as admin in the Administration / Users page.

It works, but you should be able to do that with a single step, using the "New user" button for that purpose on that page.