I’m having an issue understanding the install process for the LDAP authentication. I have it working with simple authentication but I need to get it working with Digest-MD5 and I don’t really understand the instructions on the Java website. Below is my config file:
# Enable the LDAP feature
**sonar.security.realm=LDAP**
# sonar.authenticator.downcase=true
**ldap.url=ldap://corp.domain.com:389**
**ldap.bindDn=CN=BindAccount,OU=Service Account OU,DC=CORP,DC=Domain,DC=COM**
# Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory (optional)
**ldap.bindPassword=EncryptedPassword**
# Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html (default: simple)
ldap.authentication=DIGEST-MD5
# See :
# * http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
# * http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html
# (optional)
# ldap.realm=example.org
# Context factory class (optional)
# ldap.contextFactoryClass=com.sun.jndi.ldap.LdapCtxFactory
# Enable usage of StartTLS (default : false)
# ldap.StartTLS=true
# Follow or not referrals. See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html (default: true)
# ldap.followReferrals=false
# USER MAPPING
# Distinguished Name (DN) of the root node in LDAP from which to search for users (mandatory)
**ldap.user.baseDn=DC=CORP,DC=Domain,DC=COM**
# LDAP user request. (default: (&(objectClass=inetOrgPerson)(uid={login})) )
**ldap.user.request=(&(objectClass=user)(mail={login}))**
# Attribute in LDAP defining the user’s real name. (default: cn)
**ldap.user.realNameAttribute=cn**
# Attribute in LDAP defining the user’s email. (default: mail)
**ldap.user.emailAttribute=mail**
# GROUP MAPPING
# Distinguished Name (DN) of the root node in LDAP from which to search for groups. (optional, default: empty)
**ldap.group.baseDn=OU=Groups,DC=CORP,DC=Domain,DC=COM**
# LDAP group request (default: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn})) )
**ldap.group.request=(&(objectClass=group)(member={dn}))**
# Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode. (default: cn)
# ldap.group.idAttribute=sAMAccountName
What changes do I need to make? What do I specify at the realm? Are the changes just made in the first file or do they need to be made elsewhere? Sign in is working with the settings I’ve made bold.
Any help would be really appreciated!
Thanks in advance
My first question is about the **s I see before and after certain key-value pairs in your pasted configuration. Did you add those here for emphasis, or are they in your working file? Because they would interfere with the reading of your config file values.
Digest-MD5 authentication is the required authentication mechanism for LDAP v3 servers
The fact that you have it working with simple authentication implies that it’s not an LDAP v3 server, which means it doesn’t support Digest-MD5 authentication…?
You should probably talk to your LDAP administrator. That person is really the best qualified to help you with this.
The issue that I have here is that essentially I am the LDAP admin but I do not have access to Sonarqube itself, so I have provided the information for the properties file but don’t want our active directory sign in’s being plain text. A better way to phrase the question would be where is the authentication environment file hosted, is this a file on the sonarqube server?
Thanks, we have the encryption setup to hide plain text in the properties file. It’s just the Digest-MD5 we can’t get working. My properties is below:
# LDAP CONFIGURATION
# Enable the LDAP feature
sonar.security.realm=LDAP
# URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.
ldap.url=ldap://corp.domain.com:636
# Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory (optional)
ldap.bindDn=CN=service account,OU=Service Accounts,DC=CORP,DC=Domain,DC=COM
# Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory (optional)
ldap.bindPassword={aes-gcm}encryptedPassword
# Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html (default: simple)
ldap.authentication=DIGEST-MD5
# See :
# * http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
# * http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html
# (optional)
#ldap.realm=ldap://corp.navex01.com:389
ldap.realm=corp.domain.com
# Enable usage of StartTLS (default : false)
ldap.StartTLS=true
# USER MAPPING
# Distinguished Name (DN) of the root node in LDAP from which to search for users (mandatory)
ldap.user.baseDn=DC=CORP,DC=Domain,DC=COM
# LDAP user request. (default: (&(objectClass=inetOrgPerson)(uid={login})) )
ldap.user.request=(&(objectClass=user)(mail={login}))
# Attribute in LDAP defining the user’s real name. (default: cn)
ldap.user.realNameAttribute=cn
# Attribute in LDAP defining the user’s email. (default: mail)
ldap.user.emailAttribute=mail
# GROUP MAPPING
# Distinguished Name (DN) of the root node in LDAP from which to search for groups. (optional, default: empty)
ldap.group.baseDn=OU=Security Groups,DC=CORP,DC=Domain,DC=COM
# LDAP group request (default: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn})) )
ldap.group.request=(&(objectClass=group)(member={dn}))
The logs I get back are:
2023.02.28 08:17:43 INFO web[][o.s.p.ProcessEntryPoint] Starting web
2023.02.28 08:17:44 INFO web[][o.a.t.u.n.NioSelectorPool] Using a shared selector for servlet write/read
2023.02.28 08:17:44 INFO web[][o.s.c.e.CoreExtensionsLoader] Loaded core extensions: Community Branch Plugin
2023.02.28 08:17:44 INFO web[][o.s.s.e.EsClientProvider] Connected to local Elasticsearch: [http://127.0.0.1:9001]
2023.02.28 08:17:45 INFO web[][o.s.s.p.LogServerVersion] SonarQube Server / 8.9.9.56886 / f7ef403a1f66dde923eda25b58df08d40a16e043
2023.02.28 08:17:45 INFO web[][o.sonar.db.Database] Create JDBC data source for jdbc:sqlserver://10.64.110.38:1433;databaseName=sonar
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerFileSystemImpl] SonarQube home: C:\SonarQube\sonarqube-8.9.9.56886
2023.02.28 08:17:47 INFO web[][o.s.s.u.SystemPasscodeImpl] System authentication by passcode is disabled
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin C# Code Quality and Security / 8.22.0.31243 / e3cee7838d992e31dcdd90cf4f7406bb20535e8e
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin CSS Code Quality and Security / 1.4.2.2002 / faa7d4f1407df67df7ada53caf677ab783721173
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Community Branch Plugin / 1.8.0 / null
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Flex Code Quality and Security / 2.6.1.2564 / bb723840701bda72510b7a47742811d20daad331
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Go Code Quality and Security / 1.8.3.2219 / d6ad7a5a47fc4785d2e80918fb7424be46e38a7f
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin HTML Code Quality and Security / 3.4.0.2754 / 38f7ff864ae15152c9f1efc3014594f7e7ca7b6e
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin JaCoCo / 1.1.1.1157 / 83478572b9f23efac29de15e30c7758bbb0c0e47
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Java Code Quality and Security / 6.15.1.26025 / 1b1e96715bfa9f6a4ae24e95cc5b91f0edce609f
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin JavaScript/TypeScript Code Quality and Security / 7.4.4.15624 / 481b2e69339b016b5d7d1eb27f0abf20dd6bd961
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Kotlin Code Quality and Security / 1.8.3.2219 / d6ad7a5a47fc4785d2e80918fb7424be46e38a7f
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin PHP Code Quality and Security / 3.17.0.7439 / 44c7760147080c157fa0ff579772f92d3c8e1ebf
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Python Code Quality and Security / 3.4.1.8066 / 22139ec73fb2f32044f66477ea52734415683668
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Ruby Code Quality and Security / 1.8.3.2219 / d6ad7a5a47fc4785d2e80918fb7424be46e38a7f
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin Scala Code Quality and Security / 1.8.3.2219 / d6ad7a5a47fc4785d2e80918fb7424be46e38a7f
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin SonarQube CNES Report / 4.1.2 / null
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin VB.NET Code Quality and Security / 8.22.0.31243 / e3cee7838d992e31dcdd90cf4f7406bb20535e8e
2023.02.28 08:17:47 INFO web[][o.s.s.p.ServerPluginManager] Deploy plugin XML Code Quality and Security / 2.2.0.2973 / 16002945f0725643a7b42f090572795dd8b72a0f
2023.02.28 08:17:48 INFO web[][o.s.s.p.d.m.c.MssqlCharsetHandler] Verify that database collation is case-sensitive and accent-sensitive
2023.02.28 08:17:49 INFO web[][o.s.s.p.w.MasterServletFilter] Initializing servlet filter org.sonar.server.platform.web.WebServiceFilter@5f878f6b [pattern=UrlPattern{inclusions=[/api/system/migrate_db.*, ...], exclusions=[/api/components/update_key, ...]}]
2023.02.28 08:17:49 INFO web[][o.s.s.a.EmbeddedTomcat] HTTP connector enabled on port 80
2023.02.28 08:17:50 INFO web[][o.s.s.p.UpdateCenterClient] Update center: https://update.sonarsource.org/update-center.properties (no proxy)
2023.02.28 08:17:51 INFO web[][o.s.s.s.LogServerId] Server ID: 8FE34BAB-AXLG3zj-msBqnaQ-kKhu
2023.02.28 08:17:52 INFO web[][org.sonar.INFO] Security realm: LDAP
2023.02.28 08:17:52 INFO web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=DC=CORP,DC=DOMAIN,DC=COM, request=(&(objectClass=user)(mail={0})), realNameAttribute=cn, emailAttribute=mail}
2023.02.28 08:17:52 INFO web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Security Groups,DC=CORP,DC=DOMAIN,DC=COM, idAttribute=cn, requiredUserAttributes=[dn], request=(&(objectClass=group)(member={0}))}
2023.02.28 08:17:52 INFO web[][o.s.a.l.LdapContextFactory] Test LDAP connection: FAIL
2023.02.28 08:17:52 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
at org.picocontainer.behaviors.Stored.start(Stored.java:110)
at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:136)
at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:581)
at org.sonar.server.platform.PlatformImpl.start(PlatformImpl.java:213)
at org.sonar.server.platform.PlatformImpl.startLevel34Containers(PlatformImpl.java:187)
at org.sonar.server.platform.PlatformImpl.access$500(PlatformImpl.java:46)
at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$0(PlatformImpl.java:120)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:120)
at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.sonar.auth.ldap.LdapException: Unable to open LDAP connection
at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:214)
at org.sonar.auth.ldap.LdapRealm.init(LdapRealm.java:63)
at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
... 19 common frames omitted
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms.
at java.naming/com.sun.jndi.ldap.Connection.readReply(Connection.java:434)
at java.naming/com.sun.jndi.ldap.LdapClient.extendedOp(LdapClient.java:1200)
at java.naming/com.sun.jndi.ldap.LdapCtx.extendedOperation(LdapCtx.java:3278)
at java.naming/javax.naming.ldap.InitialLdapContext.extendedOperation(InitialLdapContext.java:184)
at org.sonar.auth.ldap.LdapContextFactory.createInitialDirContext(LdapContextFactory.java:119)
at org.sonar.auth.ldap.LdapContextFactory.createBindContext(LdapContextFactory.java:95)
at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:210)
... 21 common frames omitted
2023.02.28 08:17:52 INFO web[][o.s.p.ProcessEntryPoint] Hard stopping process
Are there any obvious things I’m getting wrong in the properties file?
It looks like your LDAP server isn’t responding (quickly enough?).
Can you check with your network folks to make sure there’s not something “helpful” on the network blocking the call once you start trying to use DIGEST-MD5?