I’m using a brand new instance of SonarQube v8.9.1 LTS hosted on a Debian 10 and I’m trying to configure LDAP external authentication. Our LDAP is an Active Directory 2016.
It’s working great with the “simple” method of authentication, but I’m not an afficionado of passwords being sent as cleartext so I would like to use the DIGEST-MD5 or at least CRAM-MD5 method.
Whenever I configure DIGEST-MD5 or CRAM-MD5 I get the following error in web.log :
This is my configuration :
sonar.security.realm=LDAP
ldap.url=ldap://serverURL
ldap.bindDn=DNofAccount
ldap.bindPassword=secret
ldap.authentication= CRAM-MD5
ldap.realm=realm
ldap.user.baseDn=baseDn
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute= displayName
ldap.user.emailAttribute= mail
To be perfectly honest, I don’t really understand what to put in ldap.realm, even after having read the java documentation thousands of times.
At least it’s better than CRAM-MD5 since the method is supported. The LDAP error states that username exists but password do not match. The password hasn’t been changed from simple auth where it’s working well. I don’t understand what is blocking the password from being validated…
The thing is, when using simple auth, the bindDn must be the dn of the binding user (ie. CN=user_sonar,DC=example,DC=com).
But when using digest auth, bindDn must be the SAMAccountName of the user (ie. user_sonar). No need for the full dn.
Maybe this precision should be part of the documentation on LDAP integration.