LDAP (FreeIPA) Grouping on SonarQube

Hello all!
Recently I’ve been trying to integrate our SonarQube server with the FreeIPA server to enable users that only belong to sonar-users or sonar-administrators authenticate successful.
Although the user mapping worked very quickly and the users are pulled from the LDAP server, the grouping in need seems not to be applicable and everyone (even those with no assigned sonarqube group from the LDAP) can access the SonarQube server with their LDAP credentials (and are put by default to the sonar-users group that exists by default on SonarQube).
On the sonarqube logs I can see the following:

web.log:2023.01.20 10:43:46 DEBUG web[AYXOWMTlZF+pQQIdAAAF][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider ‘
web.log:2023.01.20 11:02:53 DEBUG web[AYXOaoAaOgv9AiXOAAAF][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider ‘

The needed groups were created prior to the configuration on our LDAP

What I want to achieve instead:

Only users that have either sonar-users or sonar-administrators group assigned on the LDAP should be able to authenticate successfully on SonarQube.

What I have tried:

GENERAL LDAP CONF

sonar.security.realm=LDAP
ldap.url=ldap://myldap
ldap.bindDn=uid=bind-user,cn=users,cn=accounts,dc=company,dc=com
ldap.bindPassword=somepass
ldap.authentication=simple

USER MAPPING

ldap.user.baseDn=cn=users,cn=accounts,dc=company,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

GROUP MAPPING

ldap.group.baseDn=ou=groups,dc=company,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

SonarQube Version: Version 9.3 (build 51899) - Developer Edition

Any suggestions on how I should address the issue?
Thank you.

Hi,

Per the docs

  • Membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

This means that every user will be added to this default group, and you cannot prevent that by revoking sonar-user membership in your IDP.

What you need to do is revoke the sonar-user group’s Browse permissions on existing projects and create a new group (in both places) to manage project visibility.

Regarding the ability to authenticate at all, you may be able to get what you want by more narrowly crafting your user lookup parameters, but I suspect that will be more trouble than it’s worth.

 
HTH,
Ann