Active Directory authentication with two domain controllers in SonarQube on Docker

Hey there,

I am trying to utilize both Active Directory controllers in SonarQube.
https://docs.sonarqube.org/latest/instance-administration/delegated-auth/#header-6
This document explains how to set it up step by step and it worked for me…however I’ve moved my SonarQube installation onto Docker and I can’t find any configuration example which would let me still use it. Could you help me out with this one?

The version I use is: 9.4.0.54424, basically what’s in the Docker Hub linked to sonarqube:9.4.0-developer

Hi,

Welcome to the community!

If I compare the documented envvars with the property names in $SONARQUBE-HOME/conf/sonar.properties the translation seems to be

  • upper case
  • change dots to underscores

Have you tried this?

 
HTH,
Ann

Let’s consider a configuration example like this for LDAP:

sonar.security.realm=LDAP

# Set to true when connecting to a LDAP server using a case-insensitive setup.
sonar.authenticator.downcase=true

# List the different servers
ldap.servers=server1,server2

# URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.
ldap.server1.url=ldaps://ads01.example.com:636
ldap.server2.url=ldaps://ads02.example.com:636

# Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory (optional)
ldap.server1.bindDn=CN=citools,OU=Execution,OU=COMPANYUSERS,DC=example,DC=com
ldap.server2.bindDn=CN=citools,OU=Execution,OU=COMPANYUSERS,DC=example,DC=com

# Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory (optional)
ldap.server1.bindPassword=hahafunnypassword
ldap.server2.bindPassword=hahafunnypassword

# Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html (default: simple)
ldap.server1.authentication=simple
ldap.server2.authentication=simple
#ldap.authentication=simple

# See :
#   * http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
#   * http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html
# (optional)
# ldap.realm=example.org

# Context factory class (optional)
# ldap.contextFactoryClass=com.sun.jndi.ldap.LdapCtxFactory

# Enable usage of StartTLS (default : false)
#ldap.StartTLS=false
ldap.server1.StartTLS=false
ldap.server2.StartTLS=false
#ldap.StartTLS=false

# Follow or not referrals. See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html (default: true)
ldap.server1.followReferrals=true
ldap.server2.followReferrals=true
#ldap.followReferrals=true

# USER MAPPING

# Distinguished Name (DN) of the root node in LDAP from which to search for users (mandatory)
ldap.server1.user.baseDn=dc=example,dc=com
ldap.server2.user.baseDn=dc=example,dc=com

# LDAP user request. (default: (&(objectClass=inetOrgPerson)(uid={login})) )
ldap.server1.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf:1.2.840.113556.1.4.1941:=CN=sonarqube_users,OU=Groups,OU=COMPANYUSERS,DC=example,DC=com))
ldap.server2.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf:1.2.840.113556.1.4.1941:=CN=sonarqube_users,OU=Groups,OU=COMPANYUSERS,DC=example,DC=com))

# Attribute in LDAP defining the user’s real name. (default: cn)
#ldap.user.realNameAttribute=cn
ldap.server1.user.realNameAttribute=cn
ldap.server2.user.realNameAttribute=cn

# Attribute in LDAP defining the user’s email. (default: mail)
#ldap.user.emailAttribute=mail
ldap.server1.user.emailAttribute=mail
ldap.server2.user.emailAttribute=mail

# GROUP MAPPING

# Distinguished Name (DN) of the root node in LDAP from which to search for groups. (optional, default: empty)
ldap.server1.group.baseDn=DC=example,DC=com
ldap.server2.group.baseDn=DC=example,DC=com

# LDAP group request (default: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn})) )
ldap.server1.group.request=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={dn})(|(sAMAccountName=sonarqube_users)(sAMAccountName=ci_admins)))
ldap.server2.group.request=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={dn})(|(sAMAccountName=sonarqube_users)(sAMAccountName=ci_admins)))

# Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode. (default: cn)
# ldap.group.idAttribute=sAMAccountName
ldap.server1.group.idAttribute=sAMAccountName
ldap.server2.group.idAttribute=sAMAccountName

Does your message mean it should be like this in Docker?

LDAP_SERVERS=server1,server2
LDAP_SERVER1_URL=ldaps://ads01.example.com:636
LDAP_SERVER2_URL=ldaps://ads02.example.com:636
LDAP_SERVER1_BINDDN=CN=citools,OU=Execution,OU=COMPANYUSERS,DC=example,DC=com
LDAP_SERVER2_BINDDN=CN=citools,OU=Execution,OU=COMPANYUSERS,DC=example,DC=com
LDAP_SERVER1_BINDPASSWORD=hahafunnypassword
LDAP_SERVER2_BINDPASSWORD=hahafunnypassword
LDAP_SERVER1_STARTTLS=false
LDAP_SERVER2_STARTTLS=false
LDAP_SERVER1_FOLLOWREFERRALS=true
LDAP_SERVER2_FOLLOWREFERRALS=true
LDAP_SERVER1_USER_BASEDN=dc=example,dc=com
LDAP_SERVER2_USER_BASEDN=dc=example,dc=com
LDAP_SERVER1_USER_REQUEST=(&(objectClass=user)(sAMAccountName={login})(memberOf:1.2.840.113556.1.4.1941:=CN=sonarqube_users,OU=Groups,OU=COMPANYUSERS,DC=example,DC=com))
LDAP_SERVER2_USER_REQUEST=(&(objectClass=user)(sAMAccountName={login})(memberOf:1.2.840.113556.1.4.1941:=CN=sonarqube_users,OU=Groups,OU=COMPANYUSERS,DC=example,DC=com))
LDAP_SERVER1_USER_REALNAMEATTRIBUTE=cn
LDAP_SERVER2_USER_REALNAMEATTRIBUTE=cn
LDAP_SERVER1_USER_EMAILATTRIBUTE=mail
LDAP_SERVER2_USER_REALNAMEATTRIBUTE=mail
LDAP_SERVER1_GROUP_BASEDN=DC=example,DC=com
LDAP_SERVER2_GROUP_BASEDN=DC=example,DC=com
LDAP_SERVER1_GROUP_REQUEST=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={dn})(|(sAMAccountName=sonarqube_users)(sAMAccountName=ci_admins)))
LDAP_SERVER2_GROUP_REQUEST=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={dn})(|(sAMAccountName=sonarqube_users)(sAMAccountName=ci_admins)))
LDAP_SERVER1_GROUP_IDATTRIBUTE=sAMAccountName
LDAP_SERVER2_GROUP_IDATTRIBUTE=sAMAccountName

Having some environmental variables does not mean Docker container will use it, that’s a sense of my question.

Hi,

Yes, that’s my guess. But I’ve flagged this for more expert attention.

 
Ann

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.