Integration with LDAP - DIGEST

SonarQube
1

Hi everyone,

I’m using a brand new instance of SonarQube v8.9.1 LTS hosted on a Debian 10 and I’m trying to configure LDAP external authentication. Our LDAP is an Active Directory 2016.

It’s working great with the “simple” method of authentication, but I’m not an afficionado of passwords being sent as cleartext so I would like to use the DIGEST-MD5 or at least CRAM-MD5 method.

Whenever I configure DIGEST-MD5 or CRAM-MD5 I get the following error in web.log :

Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 - 00002027: LdapErr: DSID-0C09060C, comment: Invalid Authentication method, data 0, v3839]

This is my configuration :
sonar.security.realm=LDAP
ldap.url=ldap://serverURL
ldap.bindDn=DNofAccount
ldap.bindPassword=secret
ldap.authentication= CRAM-MD5
ldap.realm=realm
ldap.user.baseDn=baseDn
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute= displayName
ldap.user.emailAttribute= mail

To be perfectly honest, I don’t really understand what to put in ldap.realm, even after having read the java documentation thousands of times.

Thanks for your help.

1 Like
2

Hello,

I’ve tried some more tests and this is what happens when setting the auth to digest and the log to debug :

2021.06.16 10:20:40 DEBUG web[javax.security.sasl] SASLIMPL01:Preferred qop property: null
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] SASLIMPL02:Preferred qop mask: 1
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] SASLIMPL03:Preferred qops : 1
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] SASLIMPL04:Preferred strength property: null
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] SASLIMPL05:Cipher strengths: 4 2 1
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST60:Explicitly specified cipher: null
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive qop = auth,auth-int,auth-conf
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive cipher = 3des,rc4
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive algorithm = md5-sess
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive nonce = +Upgraded+v1b63c647147992/redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive charset = utf-8
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST11:Directive realm = /redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST61:Raw send size: 0
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST05:A2: AUTHENTICATE:ldap//redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST06:HEX(H(A2)): 3198f8253c/redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST07:H(CN/redacted/:qPeQqN6e0ONJeO/redacted/) = 431a17/redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST08:H(A1) = 3b1e7aa6/redacted/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST09:KD: 3b1e7aa685573fbbe022bf/redaced/
2021.06.16 10:20:40 DEBUG web[javax.security.sasl] DIGEST10:response-value: fdbb9bed88708aa3214/redacted/
2021.06.16 10:20:40 INFO web[o.s.a.l.LdapContextFactory] Test LDAP connection: FAIL

At least it’s better than CRAM-MD5 since the method is supported. The LDAP error states that username exists but password do not match. The password hasn’t been changed from simple auth where it’s working well. I don’t understand what is blocking the password from being validated… :frowning:

Regards.

3

Hey everyone,

Finally got it to work.

The thing is, when using simple auth, the bindDn must be the dn of the binding user (ie. CN=user_sonar,DC=example,DC=com).
But when using digest auth, bindDn must be the SAMAccountName of the user (ie. user_sonar). No need for the full dn.

Maybe this precision should be part of the documentation on LDAP integration.

Hope this will help someone one day :slight_smile:

2 Likes
4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.