Changing authentication to LDAPS

Our company is using SonarQube 7.9.4 (LTS) with Java 11 running on a Windows Server 2016 Standard.

Due to the upcoming LDAP deactivation through Windows Updates, we tried to change the authentication to LDAPS (according guides and config in sonar.properties / https://docs.sonarqube.org/7.9/instance-administration/delegated-auth )

Setting the corresponding configuration parameters in the sonar.properties (url and port = ldaps://server:636) did not succeed. Also tried to add our root certificate to the Java trust store and set the starttls to true, but no change. (I’m not quite sure if I did this part with the cert correctly and it’s really using it.)

Result of all tests: Domain Controller still receives non secure ldap requests from SonarQube, even when ldap.url is set to ldaps on port 636 and the authentication seems to work “properly”.

Hi,

Welcome to the community!

What errors are you getting?

 
Ann

Hi Ann,

No errors from SonarQube side when changing the config to ldaps.

From DC eventlog:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Sam

Hi @sam.g,

If you enable DEBUG logs (set sonar.log.level=DEBUG in your configuration file), $SONAR_HOME/logs/web.log will contain more details about LDAP authentication. Perhaps this can give us some more insight.

Meanwhile, is ldap.StartTLS always set to true? Can you double check that:

  • ldap.url is correct (protocol, domain, and port; ldaps://host:636)
  • ldap.StartTLS is false

and then try again? LDAP over TLS is not the same as LDAPS, and setting this flag to true might be the reason it’s failing.

Hi @Wouter_Admiraal,

Thanks for your contribution. I’ve set the log to debug and made the test twice:

  1. setting ldaps://host:636 and starttls false did not startup sonarqube service correctly (it stops a few seconds after starting it)
  2. setting back to ldap://host:389 and service started - login works and verified in web.log.

Log writes following when using ldap.url with ldaps 636 :

2020.09.21 08:44:18 INFO  web[][o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL
2020.09.21 08:44:18 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
	at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
	at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
	at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
	at org.picocontainer.behaviors.Stored.start(Stored.java:110)
	at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
	at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:545)
	at org.sonar.server.platform.Platform.start(Platform.java:211)
	at org.sonar.server.platform.Platform.startLevel34Containers(Platform.java:185)
	at org.sonar.server.platform.Platform.access$500(Platform.java:46)
	at org.sonar.server.platform.Platform$1.lambda$doRun$0(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.runIfNotAborted(Platform.java:371)
	at org.sonar.server.platform.Platform$1.doRun(Platform.java:119)
	at org.sonar.server.platform.Platform$AutoStarterRunnable.run(Platform.java:355)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.sonar.plugins.ldap.LdapException: Unable to open LDAP connection
	at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:211)
	at org.sonar.plugins.ldap.LdapRealm.init(LdapRealm.java:63)
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
	... 19 common frames omitted
Caused by: javax.naming.CommunicationException: simple bind failed: chbeidsp153.tierverkehr.ch:636
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
	at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
	at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
	at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
	at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.sonar.plugins.ldap.LdapContextFactory.createInitialDirContext(LdapContextFactory.java:134)
	at org.sonar.plugins.ldap.LdapContextFactory.createBindContext(LdapContextFactory.java:96)
	at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:207)
	... 21 common frames omitted
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:976)
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
	at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
	at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	... 34 common frames omitted
2020.09.21 08:44:18 DEBUG web[][o.s.s.p.Platform] Background initialization of SonarQube done
2020.09.21 08:44:18 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2020.09.21 08:44:18 DEBUG web[][o.s.s.a.TomcatAccessLog] Tomcat is stopped
2020.09.21 08:45:50 INFO  web[][o.s.p.ProcessEntryPoint] Starting web

Thank you
Sam

Thanks for the extra info. I take it you can make requests over LDAPS using other methods? I.e., other services use it over LDAPS, or you can ping it using some other remote tool over LDAPS?

Yes, we’re using LDAPS on many other products / services which are working properly.

OK. Well, in that case, can you give use some excerpts from your logs in DEBUG mode (startup binding + a successful authentication)? To see how the communication with LDAP is doing.