Configure LDAP/Active Directory Authentication

If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor.

You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than admin in the Harbor database, you cannot change the authentication mode.

Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode.

If you want to manage user authentication by using LDAP groups, you must enable the memberof feature on the LDAP/AD server. With the memberof feature, the LDAP/AD user entity’s memberof attribute is updated when the group entity’s member attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify memberof overlay in OpenLDAP, see this technical note.

  1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.

  2. Under Administration, go to Configuration and select the Authentication tab.

  3. Use the Auth Mode drop-down menu to select LDAP.

    LDAP authentication

  4. Enter the address of your LDAP server, for example ldaps://10.162.16.194.

  5. Enter information about your LDAP server.

    • LDAP Search DN and LDAP Search Password: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, cn=admin,dc=example.com.

    • LDAP Base DN: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, dc=example.com.

    • LDAP Filter: The filter to search for LDAP/AD users. For example, objectclass=user.

    • LDAP UID: An attribute, for example uid, or cn, that is used to match a user with the username. If a match is found, the user’s password is verified by a bind request to the LDAP/AD server.

    • LDAP Scope: The scope to search for LDAP/AD users. Select from Subtree, Base, and OneLevel.

      Basic LDAP configuration

  6. If you want to manage user authentication with LDAP groups, configure the group settings.

    • LDAP Group Base DN: The base DN from which to lookup a group in LDAP/AD. For example, ou=groups,dc=example,dc=com. This field cannot be empty when LDAP group feature is enabled.

    • LDAP Group Filter: The filter to search for LDAP/AD groups. for OpenLDAP: objectclass=groupOfNames. for Active Directory: objectclass=group. This field cannot be empty when LDAP group feature is enabled.

    • LDAP Group GID: The attribute used to name an LDAP/AD group. For example, cn. This field cannot be empty when LDAP group feature is enabled.

    • LDAP Group Admin DN: All LDAP/AD users in this group DN have Harbor system administrator privileges.

    • LDAP Group Membership: The user attribute usd to identify a user as a member of a group. By default this is memberof.

    • LDAP Scope: The scope to search for LDAP/AD groups. Select from Subtree, Base, and OneLevel.

      LDAP group configuration

    • LDAP Group Attached in Parallel: Enable this option to attach group in parallel to avoid timeout in user login when there are too many groups assiciate with the LDAP user.

      LDAP group attached in Parallel

  7. Uncheck LDAP Verify Cert if the LDAP/AD server uses a self-signed or untrusted certificate.

    LDAP certificate verification

  8. Click Test LDAP Server to make sure that your configuration is correct.

  9. Click Save to complete the configuration.