LDAP with 2 domain controllers: connect OK but cannot authenticate users

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Sonarqube Enterprise Edition Version 9.9
  • how is SonarQube deployed: zip, Docker, Helm
    Zip
  • what are you trying to achieve
    LDAP authenticate users in different domain with 2 controllers
  • what have you tried so far to achieve this
    Follow SonarQube Doc to configure multiple controllers.

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
If I configure each controller as below, both can authenticate users successfully:
ldap.url=ldap://server1.com:3268
ldap.bindDn=xxx
ldap.bindPassword=xxx
ldap.user.baseDn=xxx
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn

But when I add them together with multiple servers property as below, connection test is OK, but authenticate users fails:
ldap.servers=server1,server2
#server1
ldap.server1.url=ldap://server1.com:3268
ldap.server1.bindDn=xxx
ldap.server1.bindPassword=xxx
ldap.server1.user.baseDn=xxx
ldap.server1.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.server1.user.realNameAttribute=cn
#server2
ldap.server2.url=ldap://server1.com:3268
ldap.server2.bindDn=xxx
ldap.server2.bindPassword=xxx
ldap.server2.user.baseDn=xxx
ldap.server2.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.server2.user.realNameAttribute=cn
Could you give me some hint, where could be the problem? Thank you!
Regards,
Lu

2

Hi Lu,

What shows up in your web.log server log for a failed authentication attempt? Note that I think you need to turn logging up to DEBUG to get the most relevant log lines.

 
Ann

3

Hi Ann,
Thanks for your hint!
The same LDAP server, if configure it as multiple servers with

ldap.servers=server1,server2

I got error in web.log:
DEBUG web[xxxxx][auth.event] login failure [cause|Email 'xxx' is already used][method|FORM][provider|REALM|ldap][IP|xxxxxx|][login|xxx]

Without this property, my login is successful (only 1 domain controller). Does Sonarqube take the same account as a different account with the same email address in this case?

4

Hi,

Just to make sure, your user can authenticate without error with either server1 or server2 when only one of them is configured? It’s only when both are configured that there’s a problem?

My understanding of the error you’re getting is that it indicates that SonarQube thinks the user account belongs to a different system than the server that’s trying to auth it (essentially).

Also, as the next investigation step, it might be worth using an independent LDAP client to test authentication against the two servers to see if they return identical results for a given user, or if there’s some variation between them.

 
Ann