Build. Run. Repeat.

Harbor Registry: is your LDAP user unique?

2022-08-01 2 min read Cloud Native Harbor Kubernetes

A recent project I was working on required granting different levels of permissions for several Active Directory service accounts on Harbor registry so that some can only pull images from the registry, and others can also push, etc.

On the Harbor project, I had the following configuration for my users:

Screenshot

The harbor-group-01 group contains an Active Directory user named harbor-user-01 and harbor-group-02 contains harbor-user-02.

From the command line, I was able to log in to Harbor with harbor-user-01:

$ docker login it-tkg-harbor.terasky.demo -u harbor-user-01 -p my-password

Login Succeeded

But not with harbor-user-02:

$ docker login it-tkg-harbor.terasky.demo -u harbor-user-02 -p my-password

Error response from daemon: Get "https://it-tkg-harbor.terasky.demo/v2/": unauthorized: authentication required

Attempting to log in with harbor-user-02 from Harbor UI also returned a generic error message that was not helpful.

Invalid user name or password.

Screenshot

I knew that all the Active Directory service accounts were completely identical, so initially, it didn’t make any sense for one service account to be able to log in and others to fail.

It also didn’t occur to me that Harbor was causing the issue - until I decided to look at the harbor-core logs.

I immediately observed the following error messages in the logs:

$ kubectl logs -l app=harbor,component=core -n tanzu-system-registry

2022-08-16T08:55:21Z [ERROR] [/core/controllers/base.go:103]: Error occurred in UserLogin: user harbor-user-02 or email  already exists

Notice the extra space in the error message?

Screenshot

The Active Directory service accounts had no email address set, and Harbor expects a unique email attribute. As far as the Harbor database is concerned, a null value is still a value, so two or more service accounts with a null value, are considered duplicates. That also explains why only the first service account could log in while the others couldn’t.

I set a fake email address for all service accounts in Active Directory to work around this.

Screenshot

I then successfully logged in to Harbor with all service accounts.

$ docker login it-tkg-harbor.terasky.demo -u harbor-user-01 -p my-password

Login Succeeded

$ docker login it-tkg-harbor.terasky.demo -u harbor-user-02 -p my-password

Login Succeeded

It felt like an edge case worth documenting and sharing. :)

Authentication Configuration Database Docker Harbor Ldap Logging Tanzu Troubleshooting
© 2025 Build. Run. Repeat. by Itay Talmi - Credits
Bilberry Hugo Theme