LDAP group based authorization

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Version 7.3

  • what are you trying to achieve
    LDAP group level authorisation ie restrict login access at LDAP group level

  • what have you tried so far to achieve this
    Below is my sonar.properties for LDAP configuration tried. When I try to add filter to allow only members of one LDAP group to login (cn=sonar-restrict-group) no login is successful.

LDAP configuration

General Configuration

sonar.security.realm=LDAP
ldap.url=ldap://ldapserver.org.com
ldap.bindDn=
ldap.bindPassword=

User Configuration

ldap.user.baseDn=cn=users,dc=org,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

Group Configuration

ldap.group.baseDn=cn=groups,dc=org,dc=com
ldap.group.request=(&(objectClass=posixGroup)(cn=sonar-restrict-group)(memberuid={uid}))

Hi,

Generally the strategy is going to be to do the blocking inside SonarQube with what users can see. So, you’d set your project permissions and permission templates (which are automatically applied to newly created projects) to grant Browse only to that group. Then even if people outside that group do log in, they won’t be to see anything.

 
Ann

Hello Ann

Is this the intended use of creating user groups without having option of configuring or setting that group to existing projects for the new users to perform the required scanning operation?

Hi @Seetesh_Hindlekar,

Welcome to the community!

It’s not clear to me what you mean here:

When you add a user to a group, she gets all the permissions of the group, so if the group has analysis rights on a project, so does the newly-added user.

 
Ann