Group-based Active Directory authentication does not work - 7.9.4

Group-based LDAP authentication does not work

Good night dear

I am having problems with authentication using LDAP (Active Directory) based on Active Directory groups.

I have the “Sonarqube” group and I want to allow only that group to be able to authenticate to SonarQube. But I am not successful in applying the following configuration:

###LDAP CONFIGURATIONS###

#GLOBAL SETTINGS#
sonar.security.realm = LDAP
ldap.url = ldap://192.168.100.108:389
ldap.bindDn=svc.sonarqube@cacauicultor.com.br
ldap.bindPassword=12345@a
ldap.authentication=simple

#USER SETTINGS#
ldap.user.baseDn=OU=USERS_TI,OU=USERS,OU=TI,DC=cocoa grower,DC=com,DC=en
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

#GROUP CONFIGURATION#
ldap.group.baseDn=CN=Sonarqube,OU=USERS_TI,OU=USERS,OU=TI,DC=cocoa grower, DC=com,DC=us
ldap.group.request=(&(objectClass=group)(memberUid={uid}))

###END OF LDAP CONFIGURATIONS###

That way it is configured all AD users have access, that is, the group configuration does not work.

Below my server settings:

SonarQube version = Community Edition Version 7.9.4 (build 35981)
LDAP plugin = sonar-ldap-plugin-2.2.0.608
Active Directory = Microsoft Windows Server 2012R2

Can someone help me ??

Hi,

Welcome to the community!

First, the behavior you’re getting is the behavior as designed: if the user authenticates through LDAP, then she’s in.

As I see it, you have 2 choices:

  • manipulate your LDAP search string to not find users not in your target group. (I’m not an LDAP expert, so I have only the vaguest idea of how to make this work.)
  • on the SonarQube side lock out of your projects users who aren’t in your target group.

With the second option, it doesn’t matter that folks not in the group can get in because once they’re there, they can’t see anything.

 
HTH,
Ann

1 - In the “Group” configuration section, I am informing the “Sonarqube” group, which is the group of users that should really have access.
2 - All users who are part of the AD, when making the first access have their profile created automatically within the group sonar-users (default) how to configure via sonar so that this does not happen?

Hi,

1- I think this would be more about your search string than your group config…?

2 - All users will be part of the sonar-users group. The trick is to make sure the sonar-users group doesn’t have access to your projects. The security docs might help.

 
Ann