How to guide to ldap users for login and permission?

  • using version: SonarQube 7.9.2 LTS (CE & DE)
  • problem and trying behavior
    • I’ve setup SonarQube ldap configuration successfully.
    • However, the ldap account is not in SonarQube system until the account user log in, so I cannot give appropriate permission to the account before log in.
    • Our company ALM system operates as follows,
      1. git push source code to Azure DevOps’s git repository.
      2. Azure DevOps trigger to SonarQube for analysis the source code.
      3. I change SonarQube project from public to private for security reason.
      4. I inform SonarQube login method to a person in charge of the source code.
      5. However, the person can login SonarQube as ldap account but cannot access the project due to Insufficient permission.
      6. After the person login, ldap account created automatically. so I can grant right permission to the account.
        –> How can the ldap user access project with right permission at FIRST login time?


A few things to dig into.

It’s also possible to set new projects to be private by default, see the documentation on Project Existence.

If you want all newly created projects to be considered “Private”, you can change the default visibility in Administration > Projects > Management .

There are a few ways to tackle this.

If you make good use of Group Mapping and assign Project Permissions to LDAP groups instead of individual users, your users will belong to the right groups upon logging into SonarQube for the first time. We generally advise assigning permissions to groups instead of individual users.

(Bonus) Permission Templates allow you to set the default permissions for projects, including projects that meet a certain Project Key pattern. This can come in handy if you have projects that will meet a certain format and can assign permissions based on team, department, etc.

Your other option is to pre-provision individual users using the POST api/users/create Web API and setting the local query parameter to false. This way you can start assigning permissions to users (as if you had created a local user), and they’ll be transitioned to an LDAP-authenticated user when they log in, keeping the individual permissions you assigned.

One more option would be to identify who should be allowed to create SonarQube projects in your organization (as you put it, the people “in charge of the source code”, assign them (or better, an LDAP Group!) the Create Projects permission in SonarQube and make sure that in the permission template that will apply to the project, Creators have the right permissions. This way, users can be self-sufficient in provisioning SonarQube projects. Less work for you!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.