Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-27275

Docker login with LDAP credentials fails after upgrade to 7.39.4



    • Type: Bug
    • Status: Open
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Docker, LDAP
    • Environment:

      Ubuntu 20.04 

      Deb install of Artifactory Pro 7.39.4

      FreeIPA LDAP 4.5.0

      Docker version 20.10.17, build 100c701


      Recently upgraded from Artifactory 6.20.0 to 7.39.4 using the same LDAP configuration that was working before. Post-upgrade any LDAP account previously logged in to the docker registry failed to push with an authentication error, and subsequent attempts to log in to the registry fail with a 401. Docker login using a local Artifactory user account succeeds, and GUI logins and REST calls with LDAP user succeeds.

      Login command:

      docker login artifactory.lab.company.com:5002
      Username: test_jenkins1
      {{Password: }}
      Error response from daemon: login attempt to https://artifactory.lab.company.com:5002/v2/ failed with status: 401 Unauthorized

      Looking at the LDAP logs it looks like the request is getting to the server and returning successfully:

      [13/Jul/2022:08:56:45.412039328 -0400] conn=316971 fd=282 slot=282 connection from <arti ip> to <ldap ip>
      [13/Jul/2022:08:56:45.412770609 -0400] conn=316971 op=0 BIND dn="uid=test_jenkins1,cn=users,cn=accounts,dc=<domain>,dc=lab" method=128 version=3
      [13/Jul/2022:08:56:45.414599961 -0400] conn=316971 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=test_jenkins1,cn=users,cn=accounts,dc=<domain>,dc=lab"
      [13/Jul/2022:08:56:45.416341651 -0400] conn=316971 op=1 SRCH base="uid=test_jenkins1,cn=users,cn=accounts,dc=<domain>,dc=lab" scope=0 filter="(objectClass=*)" attrs=ALL
      [13/Jul/2022:08:56:45.420666108 -0400] conn=316971 op=1 RESULT err=0 tag=101 nentries=1 etime=0
      [13/Jul/2022:08:56:45.422232572 -0400] conn=316971 op=2 UNBIND
      [13/Jul/2022:08:56:45.422274793 -0400] conn=316971 op=2 fd=282 closed - U1
      [13/Jul/2022:08:56:45.458611978 -0400] conn=299696 op=146 SRCH base="dc=<domain>,dc=lab" scope=2 filter="(uid=test_jenkins1)" attrs=ALL
      [13/Jul/2022:08:56:45.494916347 -0400] conn=299696 op=146 RESULT err=0 tag=101 nentries=1 etime=0
      [13/Jul/2022:08:56:46.005904701 -0400] conn=316790 op=9 UNBIND
      [13/Jul/2022:08:56:46.005949071 -0400] conn=316790 op=9 fd=201 closed - U1

      and looking at the Artifactory logs it looks like it successfully creates an access token for the user, but it issues the 401 before hand:

      <login ip> - - [13/Jul/2022:12:56:45 +0000] "GET /v2/ HTTP/1.1" 401 87 "-" "docker/20.10.17 go/go1.17.11 git-commit/a89b842 kernel/4.15.0-189-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.17 \x5C(linux\x5C))"
      <login ip> - test_jenkins1 [13/Jul/2022:12:56:45 +0000] "GET /artifactory/api/docker/docker-sandbox-local/v2/token?account=test_jenkins1&client_id=docker&offline_token=true&service=artifactory.lab.rockportnetworks.com%3A5002 HTTP/1.1" 200 959 "-" "docker/20.10.17 go/go1.17.11 git-commit/a89b842 kernel/4.15.0-189-generic os/linux arch/amd64 UpstreamClient(Docker-Client/20.10.17 \x5C(linux\x5C))"

      Current workaround is to allow local user password for accounts pushing docker images.




              ck515 Caty Kratzmann
              0 Vote for this issue
              2 Start watching this issue