Assigning LDAP users to the LDAP Groups in Sonarqube

SonarQube Server / Community Build
1

Hello,

We are currently using SonarQube Enterprise version 10.6 and we manage user authorization with LDAPS. However, we are facing a problem: LDAPS users are automatically assigned to the sonar-users group when they log in to SonarQube. Our goal is to correctly assign users to LDAP groups.

Our current LDAPS configuration is as follows:

sonar.security.realm=LDAP
ldap.url=ldaps://ldaps.mycompany.local:636
ldap.bindDn=CN=my CN,OU=GenericMailAccounts,OU=AddressList,DC=mycompany,DC=local
ldap.bindPassword=myldapbindpassword

ldap.user.baseDn=DC=mycompany,DC=local
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

ldap.group.baseDn=OU=No Desktop Control,DC=mycompany,DC=local
ldap.group.request=(&(objectClass=group)(memberof={dn}))
sonar.authenticator.downcase=true
sonar.authentication.createUsers=true

At this point I have a few questions:

  • Do we need to manually create LDAP groups in SonarQube beforehand?
  • Is there a mistake in our configuration?
  • Is there a need for additional configuration to correctly assign LDAPS users to LDAP groups?

Thank you in advance for your help.

2

To be clear, even with group sync working perfectly, sonar-users is a special group that all users will belong to.

Yes.

Your configuration is going to be very specific to your environment, so it’s hard to say. Inputting those values into ldapsearch is a useful way to debug those values. However, first I would focus on the SonarQube logs itself to see what is being returned when a user logs in.

You can see if Group Mapping is working correctly (SonarQube can find the groups a user belongs to in AD) by turning on DEBUG level logs (Global Administration > System > Log Level), initating a login by an externally authenticated user and checking your web.log file.

2020.09.23 00:37:52 DEBUG web[AXS3YT9O4P5KvVE3AApT][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider ‘[G_Group1, G_Group2]’

You’ll need to adjust your ldap.group.* settings until the proper list of groups is returned.