harbor warns about not getting groups excluded by ldap group base dn

[opticabjohannsen]

Harbor version 2.9.2

We have a setup, where our OpenLDAP server provides configurations for multiple services (Bitbucket, Jenkins etc)
Further our groups are split into stages (dev, integration, prod)
Within those groups we have duplicate group names (e.g jenkins_user)

cn=bitbucket_user,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local
cn=bitbucket_admin,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

Not all our users should have all groups.
I now have the problem, that i created 2 new groups for our harbor users

cn=harbor_user,ou=harbor,ou=ops,ou=groups,dc=company,dc=local
cn=harbor_admin,ou=harbor,ou=ops,ou=groups,dc=company,dc=local

So i set the LDAP Group Base DN value to ou=harbor,ou=ops,ou=groups,dc=company,dc=local
Everything works as expected. Users can login and are either user or admin depending on the group.
BUT:
on every login i get a message for EVERY single group that the user is a member of. Which in my users case are over 70

[WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN cn=bitbucket_user,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

[WARNING] [/core/auth/ldap/ldap.go:127]: Can not get the ldap group name with DN cn=bitbucket_admin,ou=bitbucket,ou=ops,ou=groups,dc=company,dc=local

Why is it even trying to read this group, the group base dn distinctly different.
i tried multiple version of using base dn and LDAP Group Filter.
The only solution i found was to allow all ldap groups below ou=groups,dc=company,dc=local, which then results in duplicate name warnings on every single login.
As said it doesn't break anything. It's just anoying spam about information, that i don't need.

is there a way to:

• suppress this warning
• configure something to resolve the WARNING
  below a screenshot of my (working) ldap config

[stonezdj]

Could you please try this allow all ldap groups below ou=groups,dc=company,dc=local and change the LDAP group filter option to filter out the unused groups

[opticabjohannsen]

I changed LDAP Group Base DN to
ou=groups,dc=company,dc=local
and LDAP Group filter to cn=harbor_user
I'm still getting messages for all other groups, that it could not read

[opticabjohannsen]

just a bump. issue still exists (at least on my installation)

[ansromanov]

I experienced the same behavior with Harbor v2.9.4-a6d707df and FreeIPA.

My LDAP filtering is following:

But I have lot of warnings in logs (entries are changed because of the security reasons), when I tried to login with user who is part or cn=harbor_admins,cn=groups,cn=accounts,dc=company,dc=local group:

Can not get the ldap group name with DN cn=devops,cn=groups,cn=accounts,dc=company,dc=local
Can not get the ldap group name with DN cn=project1_admins,cn=groups,cn=accounts,dc=company,dc=local
Can not get the ldap group name with DN cn=project2_users,cn=groups,cn=accounts,dc=company,dc=local

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[opticabjohannsen]

As far as i can tel, the issue is still not solved

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

[stonezdj]

The warning message should changed to debug level to avoid noise in the log.