Changing authentication to LDAPS

sam.g · September 15, 2020, 8:06am

Our company is using SonarQube 7.9.4 (LTS) with Java 11 running on a Windows Server 2016 Standard.

Due to the upcoming LDAP deactivation through Windows Updates, we tried to change the authentication to LDAPS (according guides and config in sonar.properties / Delegating Authentication | SonarQube Docs )

Setting the corresponding configuration parameters in the sonar.properties (url and port = ldaps://server:636) did not succeed. Also tried to add our root certificate to the Java trust store and set the starttls to true, but no change. (I’m not quite sure if I did this part with the cert correctly and it’s really using it.)

Result of all tests: Domain Controller still receives non secure ldap requests from SonarQube, even when ldap.url is set to ldaps on port 636 and the authentication seems to work “properly”.

ganncamp · September 15, 2020, 5:35pm

Hi,

Welcome to the community!

What errors are you getting?

Ann

sam.g · September 16, 2020, 6:24am

Hi Ann,

No errors from SonarQube side when changing the config to ldaps.

From DC eventlog:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Sam

Wouter_Admiraal · September 21, 2020, 6:08am

Hi @sam.g,

If you enable DEBUG logs (set sonar.log.level=DEBUG in your configuration file), $SONAR_HOME/logs/web.log will contain more details about LDAP authentication. Perhaps this can give us some more insight.

Meanwhile, is ldap.StartTLS always set to true? Can you double check that:

ldap.url is correct (protocol, domain, and port; ldaps://host:636)
ldap.StartTLS is false

and then try again? LDAP over TLS is not the same as LDAPS, and setting this flag to true might be the reason it’s failing.

sam.g · September 21, 2020, 7:09am

Hi @Wouter_Admiraal,

Thanks for your contribution. I’ve set the log to debug and made the test twice:

setting ldaps://host:636 and starttls false did not startup sonarqube service correctly (it stops a few seconds after starting it)
setting back to ldap://host:389 and service started - login works and verified in web.log.

Log writes following when using ldap.url with ldaps 636 :

2020.09.21 08:44:18 INFO  web[][o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2020.09.21 08:44:18 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
	at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
	at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
	at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
	at org.picocontainer.behaviors.Stored.start(Stored.java:110)
	at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
	at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:545)
	at org.sonar.server.platform.Platform.start(Platform.java:211)
	at org.sonar.server.platform.Platform.startLevel34Containers(Platform.java:185)
	at org.sonar.server.platform.Platform.access$500(Platform.java:46)
	at org.sonar.server.platform.Platform$1.lambda$doRun$0(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.runIfNotAborted(Platform.java:371)
	at org.sonar.server.platform.Platform$1.doRun(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.run(Platform.java:355)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.sonar.plugins.ldap.LdapException: Unable to open LDAP connection
	at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:211)
	at org.sonar.plugins.ldap.LdapRealm.init(LdapRealm.java:63)
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
	... 19 common frames omitted
Caused by: javax.naming.CommunicationException: simple bind failed: chbeidsp153.tierverkehr.ch:636
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
	at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
	at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
	at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.sonar.plugins.ldap.LdapContextFactory.createInitialDirContext(LdapContextFactory.java:134)
	at org.sonar.plugins.ldap.LdapContextFactory.createBindContext(LdapContextFactory.java:96)
	at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:207)
	... 21 common frames omitted
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
	at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	... 34 common frames omitted
2020.09.21 08:44:18 DEBUG web[][o.s.s.p.Platform] Background initialization of SonarQube done
2020.09.21 08:44:18 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2020.09.21 08:44:18 DEBUG web[][o.s.s.a.TomcatAccessLog] Tomcat is stopped
2020.09.21 08:45:50 INFO  web[][o.s.p.ProcessEntryPoint] Starting web

Thank you
Sam

Wouter_Admiraal · September 21, 2020, 11:49am

Thanks for the extra info. I take it you can make requests over LDAPS using other methods? I.e., other services use it over LDAPS, or you can ping it using some other remote tool over LDAPS?

sam.g · September 22, 2020, 8:02am

Yes, we’re using LDAPS on many other products / services which are working properly.

Wouter_Admiraal · September 25, 2020, 9:47am

OK. Well, in that case, can you give use some excerpts from your logs in DEBUG mode (startup binding + a successful authentication)? To see how the communication with LDAP is doing.

sam.g · September 28, 2020, 10:44am

herewith the output of weblog from a successfull ldap authentication:

2020.09.28 09:13:40 DEBUG web[AXSvaa+Rh/F2/hcuACWs][jdk.event.security] X509Certificate: Alg:SHA1withRSA, Serial:26bbd10036f9a28e4aea7b5c589cfb7f, Subject:CN=SSL_Self_Signed_Fallback, Issuer:CN=SSL_Self_Signed_Fallback, Key type:RSA, Length:2048, Cert Id:-2124546934, Valid from:11.09.20, 12:00, Valid until:11.09.50, 12:00
2020.09.28 09:13:40 DEBUG web[AXSvaa+Rh/F2/hcuACWs][jdk.event.security]  TLSHandshake: localhost:1433, TLSv1.2, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, -2124546934
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapUsersProvider] Requesting details for user sger
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=Users,DC=domain,DC=com, scope=subtree, request=(sAMAccountName={0}), parameters=[sger], attributes=[email, name]}
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=ldap sonar,OU=Users,DC=domain,DC=com, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://servername.domain.com:389, java.naming.security.authentication=simple}
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=Users,DC=domain,DC=com, scope=subtree, request=(sAMAccountName={0}), parameters=[sger], attributes=null}
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=ldap sonar,OU=users,DC=domain,DC=com, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://servername.domain.com:389, java.naming.security.authentication=simple}
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=Name,OU=Users,DC=domain,DC=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://servername.domain.com:389, java.naming.security.authentication=simple}
2020.09.28 09:13:45 DEBUG web[AXSvaa+Rh/F2/hcuACW8][auth.event] login success [method|FORM][provider|REALM|LDAP][IP|192.168.100.11|192.168.1.1:64269][login|sger]

morris_monaco · February 24, 2022, 10:31pm

Hello,
I’m experiencing the same problem when I try to configure LDAPs. Actually on our Sonarqube 8.2 we are using LDAP, but for security reason we need to change on LDAPs.
I changed ‘ldap.StartTLS’ to true , I configure host to use port 636, but after sonarqube doesn’t start, after few second stops with this error :

2022.02.24 18:41:07 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection: FAIL
2022.02.24 18:41:07 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
        at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
        at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
        at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
        at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
        at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
        at org.picocontainer.behaviors.Stored.start(Stored.java:110)
        at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
        at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
        at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
        at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
        at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
        at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:581)
        at org.sonar.server.platform.PlatformImpl.start(PlatformImpl.java:213)
        at org.sonar.server.platform.PlatformImpl.startLevel34Containers(PlatformImpl.java:187)
        at org.sonar.server.platform.PlatformImpl.access$500(PlatformImpl.java:46)
        at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$0(PlatformImpl.java:120)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
        at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:120)
        at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.sonar.auth.ldap.LdapException: Unable to open LDAP connection
        at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:214)
        at org.sonar.auth.ldap.LdapRealm.init(LdapRealm.java:63)
        at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
        ... 19 common frames omitted
Caused by: javax.naming.NamingException: LDAP connection has been closed
        at java.naming/com.sun.jndi.ldap.LdapRequest.getReplyBer(LdapRequest.java:133)

Someone had the same problem and could give me help ?
Thanks
Regards
M

morris_monaco · February 24, 2022, 10:33pm

The version of sonarqube is 8.9.2

morris_monaco · March 11, 2022, 7:47am

Hello,
I solved the issue .
On the sonar.properties file I setted ldap.url with “ldaps” e ldap.StartTLS to False :
ldap.url=ldaps://fqdn
ldap.StartTLS=false

On ldap.url no port it’s necessary if you use the standard port (636) .
Regards

Sergey_Mucha · July 8, 2022, 3:42pm

Sonarqube 9.5.0
Ldap integration works fine with ldap.url ldap://
Need to switch to ldaps://domain:customport

I was able to test connection to new ldaps server with ldapsearch tool
It works when I export LDAPTLS_REQCERT=never

dap.url=ldaps://fqdn
ldap.StartTLS=false
doesn’t work for me.

Any suggestions ?

thaung_htike_oo · October 19, 2022, 6:44pm

have you solved it? i’m still getting this error

Prakash1998 · November 24, 2022, 12:46pm

Having samee error any solution

Tuxedo · September 25, 2023, 8:42am

Hi all,

same here …
with ldap.StartTLS=true and ldap.url=ldaps://…:636 Sonar won’t even startup.
Error in Sonarlog is:

2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:61562<->127.0.0.1:9009[ACTIVE][r:r]: Remove attribute http.nio.exchange-handler
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Releasing connection: [id: http-outgoing-0][route: {}->http://localhost.localdomain:9009][total kept alive: 0; route allocated: 1 of 10; total allocated: 1 of 30]
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection [id: http-outgoing-0][route: {}->http://localhost.localdomain:9009] can be kept alive indefinitely
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:61562<->127.0.0.1:9009[ACTIVE][r:r]: Set timeout 0
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection released: [id: http-outgoing-0][route: {}->http://localhost.localdomain:9009][total kept alive: 1; route allocated: 1 of 10; total allocated: 1 of 30]
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] [content length: 388; pos: 388; completed: true]
2023.09.25 08:32:01 DEBUG app[][o.e.c.RestClient] request [GET http://localhost.localdomain:9009/_cluster/health?master_timeout=30s&level=cluster&timeout=30s&wait_for_status=yellow] returned [HTTP/1.1 200 OK]
2023.09.25 08:32:01 DEBUG app[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection manager is shutting down
2023.09.25 08:32:02 DEBUG app[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:61562<->127.0.0.1:9009[ACTIVE][r:r]: Close
2023.09.25 08:32:02 DEBUG app[][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [CLOSED]: Disconnected
2023.09.25 08:32:02 DEBUG app[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection manager shut down
2023.09.25 08:32:02 INFO  app[][o.s.a.SchedulerImpl] Process[es] is up
2023.09.25 08:32:02 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] EventWatcher[ElasticSearch] tryToMoveTo ElasticSearch from STARTED to STARTING => false
2023.09.25 08:32:02 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] EventWatcher[ElasticSearch] tryToMoveTo Web Server from INIT to STARTING => true
2023.09.25 08:32:02 INFO  app[][o.s.a.ProcessLauncherImpl] Launch process[WEB_SERVER] from [/opt/sonardev/sonarqube-10.2.0.77647]: /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djava.io.tmpdir=/opt/sonardev/sonarqube-10.2.0.77647/temp -XX:-OmitStackTraceInFastThrow --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED --add-exports=java.base/jdk.internal.ref=ALL-UNNAMED --add-opens=java.base/java.nio=ALL-UNNAMED --add-opens=java.base/sun.nio.ch=ALL-UNNAMED --add-opens=java.management/sun.management=ALL-UNNAMED --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED -Dcom.redhat.fips=false -Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError -Dhttp.nonProxyHosts=localhost|127.*|[::1] -cp ./lib/sonar-application-10.2.0.77647.jar:/opt/sonardev/sonarqube-10.2.0.77647/lib/jdbc/postgresql/postgresql-42.6.0.jar org.sonar.server.app.WebServer /opt/sonardev/sonarqube-10.2.0.77647/temp/sq-process6730512619429234796properties
2023.09.25 08:32:02 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] EventWatcher[ElasticSearch] tryToMoveTo Web Server from STARTING to STARTED => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [Web Server]: 0
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] StopWatcher[Web Server] tryToMoveTo Web Server from STARTED to HARD_STOPPING => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] StopWatcher[Web Server] tryToMoveTo Web Server from HARD_STOPPING to FINALIZE_STOPPING => true
2023.09.25 08:32:07 INFO  app[][o.s.a.SchedulerImpl] Process[Web Server] is stopped
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] StopWatcher[Web Server] tryToMoveTo Web Server from FINALIZE_STOPPING to STOPPED => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.NodeLifecycle] HardStopper-0 tryToMoveTo from STARTING to HARD_STOPPING => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] HardStopper-0 tryToMoveTo Compute Engine from INIT to HARD_STOPPING => false
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] HardStopper-0 tryToMoveTo Web Server from STOPPED to HARD_STOPPING => false
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] HardStopper-0 tryToMoveTo ElasticSearch from STARTED to HARD_STOPPING => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] HardStopper-0 tryToMoveTo ElasticSearch from HARD_STOPPING to FINALIZE_STOPPING => true
2023.09.25 08:32:07 WARN  app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 143
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] StopWatcher[ElasticSearch] tryToMoveTo ElasticSearch from FINALIZE_STOPPING to HARD_STOPPING => false
2023.09.25 08:32:07 INFO  app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped
2023.09.25 08:32:07 DEBUG app[][o.s.a.NodeLifecycle] HardStopper-0 tryToMoveTo from HARD_STOPPING to FINALIZE_STOPPING => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.NodeLifecycle] HardStopper-0 tryToMoveTo from FINALIZE_STOPPING to STOPPED => true
2023.09.25 08:32:07 INFO  app[][o.s.a.SchedulerImpl] SonarQube is stopped
2023.09.25 08:32:07 DEBUG app[][o.s.a.p.ManagedProcessLifecycle] HardStopper-0 tryToMoveTo ElasticSearch from FINALIZE_STOPPING to STOPPED => true
2023.09.25 08:32:07 DEBUG app[][o.s.a.NodeLifecycle] HardStopper-0 tryToMoveTo from STOPPED to FINALIZE_STOPPING => false
2023.09.25 08:32:07 DEBUG app[][o.s.a.NodeLifecycle] Shutdown Hook tryToMoveTo from STOPPED to STOPPING => false

With normal ldap everything works fine.

We are using Sonar10.0.2 Developer Edition.

Greetings,
Marja