Hi Everyone. I’ve got a docker sonarqube deployed, configuration.yaml like so:
I’m trying to get LDAP authentication working. The “backend” is Active Directory. Ideally, what I’d like to achieve is allow only users that are members of a certain group to log into sonarqube but I have hit a bit of a snag even getting the most basic authentication working.
version: "3"
services:
sonarqube:
image: sonarqube:lts-community
depends_on:
- db
environment:
SONAR_LOG_LEVEL: DEBUG
SONAR_LOG_LEVEL_WEB: DEBUG
SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
SONAR_JDBC_USERNAME: sonar
SONAR_JDBC_PASSWORD: very-secure-password
SONAR_SECURITY_REALM: LDAP
LDAP_AUTHENTICATION: simple
LDAP_URL: ldap://domaincontroller.mycompany.local:389
LDAP_BINDDN: CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local
LDAP_BINDPASSWORD: another-very-secure-password
LDAP_USER_BASEDN: OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local
LDAP_USER_REQUEST: (&(objectClass=user)(sAMAccountName={login}))
LDAP_USER_REALNAMEATTRIBUTE: cn
LDAP_GROUP_BASEDN: OU=Security Groups,OU=MyBusiness,DC=MyCompany,DC=local
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
ports:
- "9000:9000"
db:
image: postgres:12
environment:
POSTGRES_USER: sonar
POSTGRES_PASSWORD: very-secure-password
volumes:
- postgresql:/var/lib/postgresql
- postgresql_data:/var/lib/postgresql/data
volumes:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
postgresql:
postgresql_data:
I can see LDAP is working:
2024.01.04 02:21:37 INFO web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, request=(&(objectClass=user)(sAMAccountName={0})), realNameAttribute=cn, emailAttribute=mail}
2024.01.04 02:21:37 INFO web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Security Groups,OU=MyBusiness,DC=MyCompany,DC=local, idAttribute=cn, requiredUserAttributes=[dn], request=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))}
2024.01.04 02:21:37 DEBUG web[][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://domaincontroller.mycompany.local:389, java.naming.security.authentication=simple}
2024.01.04 02:21:37 INFO web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://domaincontroller.mycompany.local:389: OK
However, when I attempt to login using a domain user, I get the “Authentication Failed” message.
I turned the log to “Debug” and go this:
2024.01.04 02:22:08 DEBUG web[][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] [content length: 5378; pos: 5378; completed: true]
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[johnsmith], attributes=null}
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://domaincontroller.mycompany.local:389, java.naming.security.authentication=simple}
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.DefaultLdapAuthenticator] User johnsmith not found in <default>
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.DefaultLdapAuthenticator] User johnsmith not found
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|ldap][IP|10.0.0.55|114.23.220.104][login|johnsmith]
2024.01.04 02:22:18 DEBUG web[][o.i.http2.Http2] << 0x00000000 8 GOAWAY
Any assistance on what is going wrong her would be much appreciated.
EDIT: This was a scoping issue (aka user error. Doh). All working as expected now. Config above is 100% good.