LDAP Authentication with Dgiest MD5 - help please!

SonarQube Server / Community Build
1

Hi All,

I’m having an issue understanding the install process for the LDAP authentication. I have it working with simple authentication but I need to get it working with Digest-MD5 and I don’t really understand the instructions on the Java website. Below is my config file:

# Enable the LDAP feature
**sonar.security.realm=LDAP**
# sonar.authenticator.downcase=true
**ldap.url=ldap://corp.domain.com:389**

**ldap.bindDn=CN=BindAccount,OU=Service Account OU,DC=CORP,DC=Domain,DC=COM**

# Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory (optional)
**ldap.bindPassword=EncryptedPassword**

# Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html (default: simple)
ldap.authentication=DIGEST-MD5

# See :
#   * http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
#   * http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html
# (optional)
# ldap.realm=example.org

# Context factory class (optional)
# ldap.contextFactoryClass=com.sun.jndi.ldap.LdapCtxFactory

# Enable usage of StartTLS (default : false)
# ldap.StartTLS=true

# Follow or not referrals. See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html (default: true)
# ldap.followReferrals=false

# USER MAPPING

# Distinguished Name (DN) of the root node in LDAP from which to search for users (mandatory)
**ldap.user.baseDn=DC=CORP,DC=Domain,DC=COM**

# LDAP user request. (default: (&(objectClass=inetOrgPerson)(uid={login})) )
**ldap.user.request=(&(objectClass=user)(mail={login}))**

# Attribute in LDAP defining the user’s real name. (default: cn)
**ldap.user.realNameAttribute=cn**

# Attribute in LDAP defining the user’s email. (default: mail)
**ldap.user.emailAttribute=mail**

# GROUP MAPPING

# Distinguished Name (DN) of the root node in LDAP from which to search for groups. (optional, default: empty)
**ldap.group.baseDn=OU=Groups,DC=CORP,DC=Domain,DC=COM**

# LDAP group request (default: (&(objectClass=groupOfUniqueNames)(uniqueMember={dn})) )
**ldap.group.request=(&(objectClass=group)(member={dn}))**

# Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode. (default: cn)
# ldap.group.idAttribute=sAMAccountName

What changes do I need to make? What do I specify at the realm? Are the changes just made in the first file or do they need to be made elsewhere? Sign in is working with the settings I’ve made bold.
Any help would be really appreciated!
Thanks in advance

2

Hi,

My first question is about the **s I see before and after certain key-value pairs in your pasted configuration. Did you add those here for emphasis, or are they in your working file? Because they would interfere with the reading of your config file values.

Since according to the tutorial linked in the docs,

Digest-MD5 authentication is the required authentication mechanism for LDAP v3 servers

The fact that you have it working with simple authentication implies that it’s not an LDAP v3 server, which means it doesn’t support Digest-MD5 authentication…?

You should probably talk to your LDAP administrator. That person is really the best qualified to help you with this.

 
Ann

3

Hi Ann,

Really appreciate you replying to this.

The issue that I have here is that essentially I am the LDAP admin but I do not have access to Sonarqube itself, so I have provided the information for the properties file but don’t want our active directory sign in’s being plain text. A better way to phrase the question would be where is the authentication environment file hosted, is this a file on the sonarqube server?

4

Hi,

That configuration you posted earlier is part of the sonar.conf file, which lives in $SONARQUBE-HOME/conf. Note that settings encryption is available.

Does that help?

 
Ann

6

Hi,

It looks like your LDAP server isn’t responding (quickly enough?).

Can you check with your network folks to make sure there’s not something “helpful” on the network blocking the call once you start trying to use DIGEST-MD5?

 
Ann