search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
23.63k stars 4.72k forks source link

LDAP password is periodically corrupted in outgoing requests #20795

Open paragon21 opened 1 month ago

paragon21 commented 1 month ago

I have encountered a strange problem when using Harbor - periodically during outgoing connections to the AD server Harbor starts sending a bad password from the server account. It looks like incorrect encoding. This prevents authentication either through the web UI or through the docker client. I have tried saving the LDAP connection settings via the web UI, and statically via the env variable CONFIG_OVERWRITE_JSON, but the problem persists. After rebooting all components, the problem usually goes away for some time, for a couple hours or even days. Password contains only latin letters (eng) and digits, bind dn contains cyrillic and latin characters.

2024-07-30T08:14:27Z [WARNING] [/core/auth/ldap/ldap.go:69]: ldap search fail: can not bind search dn, error: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 775, v2580
2024-07-30T08:14:27Z [ERROR] [/core/controllers/base.go:101]: Error occurred in UserLogin: can not bind search dn, error: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 775, v2580

photo_2024-07-30_11-39-05

stonezdj commented 1 month ago

https://stackoverflow.com/questions/38471361/ldap-errors-ldap-error-code-49-80090308-ldaperr-dsid-0c0903a9

The data 775 indicate that this account is locked out, maybe some other user is trying to login to the Active Directory with the wrong password.

paragon21 commented 1 month ago

@stonezdj Yes, it does, except if users were to send a lot of invalid requests, they would get a personal AD account lockout. I am getting a Harbor account lockout, which makes it impossible to connect any user and platform component that interacts with Harbor. Dumping the traffic shows that the password becomes corrupted after a while, and only rebooting all components for a while helps.

stonezdj commented 1 month ago

Dumping the traffic shows that the password becomes corrupted after a while, and only rebooting all components for a while helps. --- Do you have any log or screenshot to prove that The reboot has no relationship with the account unlock, it just happens when the lock is timed out.

Vad1mo commented 2 weeks ago

@paragon21 , harbor has its state in db and redis. before restarting harbor can you try to restart redis to see if th error resolves?

Also, can you identify what in the password changes? is it the encoding from what to what? Is the user sending the pwd with the wrong encoding maybe? Old shool linux problem?