AD user not automatically removed when group membership changes in Active Directory

Connect Sonar 8.3 to Active Directory. Create a group with the same name as an AD group.
Logon with an AD user who’s member of this group and the user will be automatically added to the group.
But, when this AD user is no longer member of the mapped AD group, the Sonar account will not be removed from the Sonar group and leaves all unwanted accounts in the sonar group.


Thank you for reaching out to the community. Can you confirm how the user was removed from the group in AD? Group mapping is searched for a user upon login with a simple LDAP search defined by, so we’ll want to make sure that the affected users were removed in a way that reflects in an ldap search of the If we could get a snippet from the web.log while logging in with one of the users, preferably with debug logging enabled, that would also be helpful.
Please send that info in when you can.

Hi Jashua,

Thanks for reaching back to me.

I tested it with a couple of users. One was my own account which I just simply removed from the AD group using ADUC.

The account itself was not removed.

An other scenario is removing the complete AD account. (Someone is leaving company e.g.). This gives the same result.

I will send the logs later today.


Hi Joshua,

The problem is slightly different than I thought.

Group membership will change as long the user exists and logs in to Sonar.

When removing the account Sonar will not get an update about this.

I kept a manual log about the actions I performed and logs are included as well.

(Created a jmartin account for testing.)

09:40 12-5-2020 login with jmartin not member of any ad group

09:41 12-5-2020 logout with jmartin

09:41 12-5-2020 login with admin to check group membership. Confirmed jmartin is only member of sonar-users

09:42 12-5-2020 logout with admin

09:44 12-5-2020 make jmartin member of DL_APP_SONARQUBE_DM_NL

09:44 12-5-2020 login with jmartin being member of DL_APP_SONARQUBE_DM_NL

09:45 12-5-2020 logout with jmartin

09:45 12-5-2020 login with admin to check group membership

09:46 12-5-2020 confirmed jmartin is member of DL_APP_SONARQUBE_DM_NL

09:46 12-5-2020 logout with admin account

09:46 12-5-2020 remove jmartin from DL_APP_SONARQUBE_DM_NL

09:47 12-5-2020 jmartin still member of DL_APP_SONARQUBE_DM_NL

09:48 12-5-2020 login with jmartin

09:48 12-5-2020 logout with jmartin

09:48 12-5-2020 login with admin to check group membership

09:48 12-5-2020 jmartin is removed from group in sonar

09:49 12-5-2020 logout with jmartin

09:49 12-5-2020 make jmartin member of DL_APP_SONARQUBE_DM_NL again

09:50 12-5-2020 login with jmartin again

09:50 12-5-2020 logout with jmartin

09:51 12-5-2020 login with admin to check group membership

09:51 12-5-2020 confirm jmartin is member of DL_APP_SONARQUBE_DM_NL

09:51 12-5-2020 logout admin

09:51 12-5-2020 remove jmartin account grom Active Directory

09:52 12-5-2020 login with jmartin. Failed to authenticate as expected.

09:52 12-5-2020 login with admin to check group membership

09:53 12-5-2020 jmartin still exists and is still member of DL_APP_SONARQUBE_DM_NL

09:53 12-5-2020 logout with admin account

09:53 12-5-2020 login with srijkenberg

09:54 12-5-2020 logout with srijkenberg

09:54 12-5-2020 login with admin

09:54 12-5-2020 confirmed that jmartin still exists and is member of DL_APP_SONARQUBE_DM_NL

09:54 12-5-2020 make srijkenberg member of DL_APP_SONARQUBE_DM_NL

09:55 12-5-2020 logout admin

09:55 12-5-2020 login with srijkenberg

09:55 12-5-2020 logout with srijkenberg (group membership should change now)

09:56 12-5-2020 login with admin

09:56 12-5-2020 jmartin does still exist

image001.png (59.2 KB)

Hey there!

Thanks for sending that info in. (and thank you for including my name in the test cases I thought that was fun) .It helped me understand better, and it looks like what’s happening here is a result of when SonarQube syncs user and group information with LDAP/AD, which is more event-based.

Basically, once AD login is enabled, the SonarQube server connects to AD whenever a login is attempted. First, SonarQube will send an LDAPsearch to the AD server searching for the user with the given password, and if that’s successful, it will submit a second LDAPsearch that searches for the groups the user belongs to. It then proceeds to sync that user with any new or removed groups. There’s some text in our Delegating Auth Doc that partially indicates that functionality.

When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each login.

So I think where this leaves us is that when an AD user is deleted in AD, that user must be manually deleted/deactivated in SonarQube (We have a Jira about implementing full deletion that’s ongoing). AND if that user is simply being taken out of a group in AD, that account needs to log into SonarQube for the group changes to sync up.

I think that might answer your question, but please let me know if I missed something or if you’re curious about the information above. :slight_smile: