Ldap anonymous bind

[pierreedbrg]

Is it not possible in the latest version of harbor to bind to ldap using anonymous bind, which is a problem as you must set the hardcoded password in every applications.

Is it possible to enable anonymous bind as for example gitlab enables anonymous bind for synchronization ?

it forces us to create a ldap user with readonly permission with a password that has no point. Moreover it is a pain to manage as if the password changes, you have to manually change it in every app.

Thanks.

[stonezdj]

For security concerns, we might not use anonymous bind: https://www.beyondsecurity.com/resources/vulnerabilities/malformed-bind-requestldap-anonymous#:~:text=Vulnerabilities%20in%20Malformed%20Bind%20Request%20(LDAP%20Anonymous)%20is%20a%20Medium,prone%20to%20being%20overlooked%20entirely.

[pierreedbrg]

If there is a security vulnerability, it is to the admins to mitigate the risks, disabling a main feature of ldap bind is a breaking changes as it's expected to be working since it's an ldap feature used in every services. Moreover, it all depends of the exposure of your harbor instance, if it's not publicly exposed, the risk is highly reduced.

To summarize, even though there is a vulnerability, it is more in the configuration of ldap than from the connection itself. if we accept this risk, then it's our responsability.

[dev-zero]

I don't see how a CVE for a Microsoft product should influence this. Kanidm seems to be very security conscious, yet they permit anonymous bind for searching.