Group-based Active Directory authentication does not work - 7.9.4

alanqueiroz · August 24, 2020, 12:06am

Group-based LDAP authentication does not work

Good night dear

I am having problems with authentication using LDAP (Active Directory) based on Active Directory groups.

I have the “Sonarqube” group and I want to allow only that group to be able to authenticate to SonarQube. But I am not successful in applying the following configuration:

###LDAP CONFIGURATIONS###

#GLOBAL SETTINGS#
sonar.security.realm = LDAP
ldap.url = ldap://192.168.100.108:389
ldap.bindDn=svc.sonarqube@cacauicultor.com.br
ldap.bindPassword=12345@a
ldap.authentication=simple

#USER SETTINGS#
ldap.user.baseDn=OU=USERS_TI,OU=USERS,OU=TI,DC=cocoa grower,DC=com,DC=en
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

#GROUP CONFIGURATION#
ldap.group.baseDn=CN=Sonarqube,OU=USERS_TI,OU=USERS,OU=TI,DC=cocoa grower, DC=com,DC=us
ldap.group.request=(&(objectClass=group)(memberUid={uid}))

###END OF LDAP CONFIGURATIONS###

That way it is configured all AD users have access, that is, the group configuration does not work.

Below my server settings:

SonarQube version = Community Edition Version 7.9.4 (build 35981)
LDAP plugin = sonar-ldap-plugin-2.2.0.608
Active Directory = Microsoft Windows Server 2012R2

Can someone help me ??

ganncamp · August 24, 2020, 12:24pm

Hi,

Welcome to the community!

First, the behavior you’re getting is the behavior as designed: if the user authenticates through LDAP, then she’s in.

As I see it, you have 2 choices:

manipulate your LDAP search string to not find users not in your target group. (I’m not an LDAP expert, so I have only the vaguest idea of how to make this work.)
on the SonarQube side lock out of your projects users who aren’t in your target group.

With the second option, it doesn’t matter that folks not in the group can get in because once they’re there, they can’t see anything.

HTH,
Ann

alanqueiroz · August 24, 2020, 2:05pm

1 - In the “Group” configuration section, I am informing the “Sonarqube” group, which is the group of users that should really have access.
2 - All users who are part of the AD, when making the first access have their profile created automatically within the group sonar-users (default) how to configure via sonar so that this does not happen?

ganncamp · August 24, 2020, 2:26pm

Hi,

1- I think this would be more about your search string than your group config…?

2 - All users will be part of the sonar-users group. The trick is to make sure the sonar-users group doesn’t have access to your projects. The security docs might help.

Ann

mconway72 · January 20, 2021, 1:04am

@alanqueiroz

You can ignore the Group Mapping LDAP settings in regard to this. To restrict SonarQube access based on a specific LDAP/AD group membership by restricting the user-filter option on the ldap.user.request:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-group,OU=groups,DC=example,DC=com))

Topic		Replies	Views
Dockerized SonarQube - LDAP Authentication issues SonarQube Server / Community Build	1	441	January 5, 2024
Sonarqube group and LDAP group sync SonarQube Server / Community Build sonarqube , ldap , authentication , administration	5	5588	April 5, 2022
Authentication fails on initial LDAP User Login SonarQube Server / Community Build sonarqube , ldap , authentication	3	2597	September 24, 2020
LDAP group based authorization SonarQube Server / Community Build ldap	4	1204	January 20, 2021
LDAP successfully working, LDAPS failing SonarQube Server / Community Build ldap , saml	4	3902	April 27, 2022

Group-based Active Directory authentication does not work - 7.9.4

Related topics