Authenticate Harbor with Authentik LDAP outpost
authentik does an excellent job as an authentication provider using modern protocols like OIDC. Some applications (like Jellyfin or Harbor) won't support OIDC, but can be configured to use LDAP for authentication.
I recently migrated a Harbor instance from an OpenLDAP authentication backend to Authentik's LDAP outpost, and struggled a little with the configuration.
Now that it's working, I thought I'd document it here so that I don't forget!
Two critical issues affected the Harbor / LDAP configuration:
- Harbor won't let you login if it gets more than one result when looking up your user in LDAP1
- Authentik will create "virtual" user groups matching your username, for POSIX compliance.
A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: goauthentik.io/ldap/virtual-group. The virtual groups gidNumber is equal to the uidNumber of the user - (https://goauthentik.io/docs/providers/ldap/)
What this means for your config is that you actually can't use your base DN for the user lookup, because you'll get a match from ou=users
as well as a match from ou=groups
. You'll need to ensure that the base DN for user searches includes ou=users
.
Here's my complete, working configuration:
What's the LDAP filter?
The LDAP filter (truncated above) is (&(objectclass=inetOrgPerson)(memberof=cn=*-harbor,ou=groups,dc=elpenguino,dc=net))
, which matches any member of any group ending in -harbor
, so I could create groups like admin-harbor
, read-harbor
, ops-harbor
, etc.
Chef's notes 📓
-
This error is only visible in the harbor-core pod logs! ↩
Tip your waiter (sponsor) 👏
Did you receive excellent service? Want to compliment the chef? (..and support development of current and future recipes!) Sponsor me on Github / Ko-Fi / Patreon, or see the contribute page for more (free or paid) ways to say thank you! 👏
Employ your chef (engage) 🤝
Is this too much of a geeky PITA? Do you just want results, stat? I do this for a living - I'm a full-time Kubernetes contractor, providing consulting and engineering expertise to businesses needing short-term, short-notice support in the cloud-native space, including AWS/Azure/GKE, Kubernetes, CI/CD and automation.
Learn more about working with me here.
Flirt with waiter (subscribe) 💌
Want to be alerted to new posts / recipes? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated.