Unable to configure Quay Team Sync

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Quay
- 3.8+

Issue

In Team Synchronization feature of Quay, when one adds the Group DN in the team sync definitions, it says: "Could not sync to group: Group does not exist or is empty".
What is the attribute that the Quay searches for in order to get the group members? Our LDAP directory service uses group membership search attribute - "groupMembership: ". For example: groupMembership: cn=OCP_admins,ou=OCP,ou=groups,o=xyz.

Resolution

There is no workaround for this issue at the moment. A new feature Request This content is not included.PROJQUAY-3235 has been raised to support custom LDAP membership attributes in the upcoming Quay releases.

Root Cause

The LDAP search is failing because the two search filters have been combined:
(&(memberOf=cn=OCP_admins,ou=OCP,ou=groups,o=xyz) (groupMembership=cn=OCP_admins,ou=OCP,ou=groups,o=xyz))
The ampersand symbol(&) at the beginning of the string is basically a logical AND and it should translate into: Search for user in 'memberOf=cn=OCP_admins,ou=OCP,ou=groups,o=xyz' AND 'groupMembership=cn=OCP_admins,ou=OCP,ou=groups,o=xyz'
Currently, this expression will always evaluate with a False value because one doesn't have any users with the memberOf attribute. By looking at the Content from github.com is not included.source code, it is evident that this query is hard coded

Diagnostic Steps

Check for the following snippet in Quay debug logs:

...
gunicorn-web stdout | 2023-01-09 16:39:49,741 [199] [DEBUG] [data.users.externalldap] Conducting LDAP search of DN: ou=accounts,o=xyz and filter (memberOf=cn=OCP_admins,ou=OCP,ou=groups,o=xyz)
gunicorn-web stdout | *** <ldap.ldapobject.SimpleLDAPObject object at 0x7fd5acfbc160> ldaps://ldap.xyz.com - SimpleLDAPObject.search_ext
gunicorn-web stdout | (('ou=accounts,o=xyz',
gunicorn-web stdout |   2,
gunicorn-web stdout |   '(memberOf=cn=OCP_admins,ou=OCP,ou=groups,o=xyz)',
gunicorn-web stdout |   ['xyzCNShort', 'mail'],
gunicorn-web stdout |   0,
gunicorn-web stdout |   [('1.2.840.113556.1.4.319', True, b'0\x05\x02\x01\x01\x04\x00')],
gunicorn-web stdout |   None,
gunicorn-web stdout |   -1,
gunicorn-web stdout |   0),
gunicorn-web stdout |  {})
gunicorn-web stdout | => result:
gunicorn-web stdout | 2
gunicorn-web stdout | *** <ldap.ldapobject.SimpleLDAPObject object at 0x7fd5acfbc160> ldaps://ldap.xyz.com - SimpleLDAPObject.result4
gunicorn-web stdout | ((2, 1, -1, 0, 0, 0), {})
gunicorn-web stdout | => result:
gunicorn-web stdout | (101,
gunicorn-web stdout |  [],
gunicorn-web stdout |  2,
gunicorn-web stdout |  [('1.2.840.113556.1.4.319', 0, b'0\x84\x00\x00\x00\x05\x02\x01\x00\x04\x00')])
gunicorn-web stdout | 2023-01-09 16:39:49,742 [199] [DEBUG] [data.users.externalldap] Found 0 users in group ou=accounts,o=xyz; (memberOf=cn=OCP_admins,ou=OCP,ou=groups,o=xyz)
gunicorn-web stdout | *** <ldap.ldapobject.SimpleLDAPObject object at 0x7fd5acfbc160> ldaps://ldap.xyz.com - SimpleLDAPObject.unbind_ext
gunicorn-web stdout | ((None, None), {})
gunicorn-web stdout | => result:
gunicorn-web stdout | None
...

SBR

Shift Container Registry

Product(s)

Red Hat Quay

Components

quay

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.