I am trying to get active directory authentication working with nested groups. What I mean by that is that I have the following groups setup:
Sonar Users
|- Developers
|- User1
|- User2
|- SysAdmins
|- User3
|- User4
If I place User1/2/3/4 directly in the “Sonar Users” group everything works as expected. However If I try to place the “Developers” and “SysAdmins” group inside the “Sonar Users” group authentication won’t work.
How can I get nested ad groups working? Here’s what I have in my config file:
# Distinguished Name (DN) of the root node in LDAP from which to search for users (mandatory)
ldap.user.baseDn=DC=mydomain,DC=local
# LDAP user request. (default: (&(objectClass=inetOrgPerson)(uid={login})) )
ldap.user.request=(sAMAccountName={0})
# Attribute in LDAP defining the user’s real name. (default: cn)
ldap.user.realNameAttribute=cn
# Attribute in LDAP defining the user’s email. (default: mail)
ldap.user.emailAttribute=mail
# GROUP MAPPING
# Distinguished Name (DN) of the root node in LDAP from which to search for groups. (optional, default: empty)
ldap.group.baseDn=CN=SonarQube Users,OU=Groups,DC=domain,DC=local
# LDAP group request (default: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn})) )
ldap.group.request=(&(objectClass=group)(member={dn}))
ldap.group.idAttribute=sAMAccountName
# Support Active Directory Nested Groups
ldap.windows.compatibilityMode = true
What I see on the web console is: Authentication failed.
What I see in the logs is:
2019.01.02 20:10:14 TRACE web[AWgQII7LjH452GK4AAA6][sql] time=0ms | sql=SELECT u.id as id, u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.scm_accounts as "scmAccounts", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.is_root as "root", u.onboarded as "onboarded", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.organization_uuid as organizationUuid, u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u WHERE u.login=? AND u.active=true | params=myusername
2019.01.02 20:10:14 DEBUG web[AWgQII7LjH452GK4AAA6][o.s.p.l.LdapUsersProvider] Requesting details for user myusername
2019.01.02 20:10:14 DEBUG web[AWgQII7LjH452GK4AAA6][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=DC=domain,DC=local, scope=subtree, request=(sAMAccountName={0}), parameters=[myusername], attributes=[mail, cn]}
2019.01.02 20:10:14 DEBUG web[AWgQII7LjH452GK4AAA6][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://domain-ad1.domain.local:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=sonarqube,OU=Special Accounts,OU=AWS,DC=domain,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2019.01.02 20:10:25 TRACE web[][sql] time=0ms | sql=select id, data from notifications order by id asc limit ? | params=1
2019.01.02 20:11:25 TRACE web[][sql] time=1ms | sql=select id, data from notifications order by id asc limit ? | params=1
2019.01.02 20:12:25 TRACE web[][sql] time=1ms | sql=select id, data from notifications order by id asc limit ? | params=1
2019.01.02 20:12:32 TRACE web[][sql] time=1ms | sql=select uuid, doc_type as docType, doc_id as docId, doc_id_type as docIdType, doc_routing as docRouting, created_at as createdAt from es_queue where created_at <= ? order by created_at desc limit ? | params=1546459652929, 10000
2019.01.02 20:13:25 TRACE web[][sql] time=0ms | sql=select id, data from notifications order by id asc limit ? | params=1
2019.01.02 20:14:25 TRACE web[][sql] time=0ms | sql=select id, data from notifications order by id asc limit ? | params=1
Can anyone assist me?
Thanks!
Brad