Dockerized SonarQube - LDAP Authentication issues

b-kaway · January 4, 2024, 2:37am

Hi Everyone. I’ve got a docker sonarqube deployed, configuration.yaml like so:

I’m trying to get LDAP authentication working. The “backend” is Active Directory. Ideally, what I’d like to achieve is allow only users that are members of a certain group to log into sonarqube but I have hit a bit of a snag even getting the most basic authentication working.

version: "3"

services:
  sonarqube:
    image: sonarqube:lts-community
    depends_on:
      - db
    environment:
      SONAR_LOG_LEVEL: DEBUG
      SONAR_LOG_LEVEL_WEB: DEBUG
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
      SONAR_JDBC_USERNAME: sonar
      SONAR_JDBC_PASSWORD: very-secure-password
      SONAR_SECURITY_REALM: LDAP
      LDAP_AUTHENTICATION: simple
      LDAP_URL: ldap://domaincontroller.mycompany.local:389
      LDAP_BINDDN: CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local
      LDAP_BINDPASSWORD: another-very-secure-password
      LDAP_USER_BASEDN: OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local
      LDAP_USER_REQUEST: (&(objectClass=user)(sAMAccountName={login}))
      LDAP_USER_REALNAMEATTRIBUTE: cn
      LDAP_GROUP_BASEDN: OU=Security Groups,OU=MyBusiness,DC=MyCompany,DC=local
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
    ports:
      - "9000:9000"
  db:
    image: postgres:12
    environment:
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: very-secure-password
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data

volumes:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  postgresql:
  postgresql_data:

I can see LDAP is working:

2024.01.04 02:21:37 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, request=(&(objectClass=user)(sAMAccountName={0})), realNameAttribute=cn, emailAttribute=mail}
2024.01.04 02:21:37 INFO  web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Security Groups,OU=MyBusiness,DC=MyCompany,DC=local, idAttribute=cn, requiredUserAttributes=[dn], request=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))}
2024.01.04 02:21:37 DEBUG web[][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://domaincontroller.mycompany.local:389, java.naming.security.authentication=simple}
2024.01.04 02:21:37 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://domaincontroller.mycompany.local:389: OK

However, when I attempt to login using a domain user, I get the “Authentication Failed” message.

I turned the log to “Debug” and go this:

2024.01.04 02:22:08 DEBUG web[][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] [content length: 5378; pos: 5378; completed: true]
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=OU=Standard Users,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[johnsmith], attributes=null}
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=svc-sonarqube,OU=Service Accounts,OU=Users,OU=MyBusiness,DC=MyCompany,DC=local, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://domaincontroller.mycompany.local:389, java.naming.security.authentication=simple}
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.DefaultLdapAuthenticator] User johnsmith not found in <default>
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][o.s.a.l.DefaultLdapAuthenticator] User johnsmith not found
2024.01.04 02:22:14 DEBUG web[AYzSRynopGeHrbNHAAAE][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|ldap][IP|10.0.0.55|114.23.220.104][login|johnsmith]
2024.01.04 02:22:18 DEBUG web[][o.i.http2.Http2] << 0x00000000     8 GOAWAY

Any assistance on what is going wrong her would be much appreciated.

EDIT: This was a scoping issue (aka user error. Doh). All working as expected now. Config above is 100% good.

Colin · January 5, 2024, 10:12am

Thanks for the follow-up!