LDAP Group Name Mapping


we are using SonarQube LTS 9.9 developer edition and achieved the LDAP integration with our Microsoft Active Directory.
Our instance is rolled out on a Kubernetes Cluster with the official sonarqube Helm chart.

We are successfully using the ldap.user.emailAttribute within the sonar.properties to map the email addresses to use a different AD attribute instead of the default mail property.

We also succeeded in retrieving the appropriate groups for the LDAP users from our AD.
Since our AD administrators are following their own naming scheme regarding the groups and in SonarQube there is also not the possibility to rename the default user group sonar-users we really would appreciate the possibility of a mapping of AD group names to SonarQube group names.

Is there the possibility to have a similar mapping functionality as for the user email addresses? We already have the appropriate SonarQube group names provided within an extension attribute in our AD.


Hey there.

sonar-users is a special group that contains all SonarQube users. It’s not meant to be mapped to an AD Group, and I’m not sure what the benefit of that would even be. Can you help me understand?

This has been ment as an example for a group name clash which would influence the group naming from the effected systems side. We actually have configured this default user group to provide read only access to authenticated users without the possibility to see the source code. But also the other group names to follow the AD group name conventions builds up a dependency that would not be necessary when having a mapping possibility to take the group name from an independent attribute.

Ah, I understand what you’re asking now now.

And… aren’t you just shifting the dependency from the name attribute to another one? Or is the concern that group names might change regularly on the AD side you’d have to play catchup with on the SonarQube side?

Exactly, we want to be independent of group naming in AD.


What you’re asking for isn’t possible today – and I think it’s the first time I’ve heard this suggestion in 5+ years at Sonar (dealing with a lot of LDAP questions!)

I’ve moved your post to our Product Manager for a Day category.