Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-22897

API Key auth doesn't trigger LDAP group sync when REALM isn't LDAP



    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 7.5.0, 6.20.0, 7.6.0, 6.20.1
    • Fix Version/s: 6.23.7, 7.12.5
    • Component/s: None
    • Labels:
    • Severity:
    • Regression:
    • Release Notes:


      Environment description:
      1. LDAP is integrated. Groups are imported from LDAP and permissions are granted based on groups.
      2. SAML SSO is enabled for UI authentication, UI permissions are processed by the SyncLdapGroups plugin.

      Problem Description:
      API Key authentication results in 403, group permissions are not inherited.

       curl -uarielk:AKCp5fUDiPt9JPDVJPbpy3Dr8cP2rZJuivLKrk9UZtg4xYQkhJc7CdDvTqrWvRSDgzsc1sUQ3 http://localhost:8081/artifactory/generic-local/jfrog.conf -I                       
      HTTP/1.1 403 Forbidden
      Server: Artifactory/6.20.1
      X-Artifactory-Id: 3af65327c9258549:-158a6662:17365f8954c:-8000
      Content-Type: application/json;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Sun, 19 Jul 2020 07:50:23 GMT

      Prerequisites for reproduction:
      1. For better tracking the environment enabling these loggers can help:

          <logger name="org.artifactory.security">
              <level value="trace"/>
          <logger name="org.artifactory.addon.ldap">
              <level value="debug"/>
          <logger name="org.artifactory.webapp.servlet.AuthenticationCacheServiceImpl">
              <level value="debug"/>

      2. Add the below to artifactory.system.properties to reduce the cache time, so it's easier to reproduce:


      Steps to reproduce:
      1. Setup Artifactory 6.20.1.
      2. Integrate with an LDAP. This script can be used for quick LDAP setup.
      3. Make sure to note a specific user and a group he is a member of.
      4. Integrate Artifactory with SAML SSO. I used OKTA. Create the user noted from step #3 and make sure it exists in SAML.
      5. Add the syncLdapGrpups plugin with the LDAP Group setting you have configured.
      6. In Artifactory, create the default "Docker" & "Generic" repositories via "Quick Setup".
      7. Modify the permissions, so "docker-local" is accessible for the noted user, but for the "generic-local" repository to be accessible via the group the noted user is a member of.
      "docker-local" - global permission
      "generic-local" - specific permission of the LDAP group needed.
      8. Login to Artifactory with the noted user via SAML SSO. Obtain an API key.
      10. Login to Artifactory using an admin, confirm the noted user is of REALM SAML and the UI doesn't show he's a member of the LDAP groups.
      11. Perform the below with the user and the obtained API key:

      curl -uUSER:APIKEY localhost:8081/artifactory/api/docker/docker-local/v2/token

      Note this in Artifactory log:

      2020-07-19 11:26:45,567 [http-nio-8081-exec-9] [DEBUG] (o.a.w.s.AuthenticationCacheServiceImpl:138) - Added authentication org.artifactory.security.providermgr.TokenProviderResponseAuthentication@7066a023: Principal: arielk; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: user to cache.

      12. Quickly(as we changed the cache to 1 min) run the below:

      curl -uUSER:APIKEY http://localhost:8081/artifactory/generic-local/jfrog.conf -I
      HTTP/1.1 403 Forbidden
      Server: Artifactory/6.20.1
      X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
      Content-Type: application/json;charset=ISO-8859-1
      Transfer-Encoding: chunked
      Date: Sun, 19 Jul 2020 08:27:23 GMT

      This fails while it should work. Using the LDAP password works well:

       curl -uarielk:password http://localhost:8081/artifactory/generic-local/jfrog.conf -I
      HTTP/1.1 200 OK
      Server: Artifactory/6.20.1
      X-Artifactory-Id: df9a061892d2a024:2b89f2d8:173662231ce:-8000
      Last-Modified: Wed, 15 Jul 2020 23:09:27 GMT
      ETag: f2e945d34a97ec070a50c350593560a088e6f1d9
      X-Checksum-Sha1: f2e945d34a97ec070a50c350593560a088e6f1d9
      X-Checksum-Sha256: aceb903be0dc9121d8b960ecef54a12dd674db179da17c9d7c575f93416a3ff4
      X-Checksum-Md5: 69babdc8b6e683492af10bbe21f036b3
      Accept-Ranges: bytes
      X-Artifactory-Filename: jfrog.conf
      Content-Disposition: attachment; filename="jfrog.conf"; filename*=UTF-8''jfrog.conf
      Content-Type: application/octet-stream
      Content-Length: 4671
      Date: Sun, 19 Jul 2020 08:28:11 GMT

      Once the cache (which we set to 1 min) is expired, if the first request is not to the api/docker/docker-repo/v2/token endpoint, this will work well.

      Disabling the authentication cache for tokens which was added in 6.20 seems to resolve the issue. This can be done by setting:



          Issue Links



                alexeiv Alexei Vainshtein
                arielk Ariel Kabov
                1 Vote for this issue
                5 Start watching this issue



                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-22897 -
                    • Last Sync Date: