LDAP login timeout

[pavanfhw]

I have an LDAP server for my Harbor installation authentication. I can login to the UI with no problems, although it is slow (around 20 seconds). But I can't login to my resgistry via docker CLI (docker login harbor.my.company) so I can push/pull images. I get the following error:

Error response from daemon: Get https://harbor.my.company/v2/: Get https://harbor.my.company/service/token?account=felipe.pavan&client_id=docker&offline_token=true&service=harbor-registry: net/http: request canceled (Client.Timeout exceeded while awaiting headers) (Client.Timeout exceeded while awaiting headers)

I'm guessing it is an actual timeout error (not other errors I found in other issues), because logging in to my Authentik LDAP server takes more than 15 seconds which appears to be the timeout value. Is there a way to resolve this that is not speeding up the login process?

[stonezdj]

What is your installation type docker-compose or k8s? If the timeout issue is caused by the LDAP login, then we should hit the same issue both the web UI login and cli login. could you please verify if the admin user could login via docker cli ? because the admin doesn't need to connect to the LDAP server. if it fails with the same error, then it should be a configure issue with your Harbor. please check your external_url variable in harbor-core container.

[pavanfhw]

The installation is via docker-compose. And yes, the only user able to login via CLI is the admin. But all users can login via UI.

[pavanfhw]

@stonezdj any ideas to solve this problem?

[stonezdj]

How long it takes the timeout? exceed 900 seconds? if yes, then we could try to update the timeout setting in common/config/nginx/nginx.conf

    location /v2/ {
      proxy_pass http://core/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
      proxy_buffering off;
      proxy_request_buffering off;
      proxy_send_timeout 900;
      proxy_read_timeout 900;
    }

[pavanfhw]

I tried your suggestion and the result was the same. The login command timeouts in 15 seconds:

$ time docker login harbor.my.company -u my.user -ppassword
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://harbor.my.company/v2/: Get https://harbor.my.company/service/token?account=my.user&client_id=docker&offline_token=true&service=harbor-registry: net/http: request canceled (Client.Timeout exceeded while awaiting headers) (Client.Timeout exceeded while awaiting headers)

real    0m15.182s
user    0m0.044s
sys 0m0.040s

I think as the login on the LDAP server takes more than 15 seconds to respond to Harbor, Harbor does not answer the docker CLI in this time and the command exits with an error. But later the LDAP login succeeds and returns to Harbor but the command already failed. I understood by researching that it is not possible to increase the docker login timeout value, so it seems there no solution via Harbor, but only by speeding up the login process in the LDAP server.

@stonezdj any other thoughts/options?

[github-actions[bot]]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[kenyon]

Related: https://github.com/moby/moby/issues/44350

[ansromanov]

I've also experienced a slow UI login, taking about 10-15 seconds, alongside delayed API requests when LDAP authentication mode is on. I've tested this on Harbor v2.9.4-a6d707df both in Docker and Kubernetes installations. LDAP server querying with openssl s_client and ldapsearch show no latency problems. However, this slowdown seems to occur only when LDAP group filtering is activated, and this issue is possibly linked to the issue documented at https://github.com/goharbor/harbor/issues/20038.

I use the following LDAP configuration (some fields are changed by the security reasons)

[ansromanov]

@stonezdj could you kindly reopen this one?