LDAP with Active Directory forest containing multiple sub-domains

Hi all,

I’m trying to configure LDAP in my environement that has an active directory with multiple sub (child) domains.

  • root.domain
  • child1.root.domain
  • child2.root.domain

The users connecting to Sonaqube are located in root AND sub domains.
The sAMAccountName used to login is not unique for some users, because two users with the same sAMAccountName maybe located in two differents (sub)domains.

To resove this I want to use the AD attibute UserPrincipalName (ex : User@root.domain, User@child1.root.domain) to identify users.

So I tried to configure this :

ldap.user.baseDn=dc=root,dc=domain
ldap.user.request=(&(objectClass=user)(UserPrincipalName={login}))

But it doesn’t seems to work.

I have no error in log files, only a message display Authentication Failed for all of my users.
I’ve tried to connect with different combination like : User@child1.root.domain or child1.root.domain\User, etc…
Still no luck.

Has anyone ever been able to set this up?

I’m using SonarQube Developer Edition Version 8.4.2 (build 36762).

Thanks for your help.

Hey there.

Ldapsearch
Our implementation of LDAP is not particularly complex :slight_smile: It takes the configuration that you set and effectively performs an ldapsearch to get information from the LDAP server.

ldapsearch is a command line tool that I believe is installed on most UNIX platforms, and there’s probably a Windows implementation out there.

So if you can find the user via an ldapsearch, SonarQube will be able to find it too given the right configuration. No extra special logic. If there’s an attribute for your users that uniquely identifies them with their domain attached, great. SonarQube doesn’t care too much, it just needs the right inputs to find that user in your LDAP server and pull their info.

Trial and Error
From a SonarQube perspective you are best equipped if you turn on DEBUG level logs (sonar.log.level) in your conf/sonar.properties file) and check the web.log after adjusting your settings, restarting your SonarQube server, and attempting logins. The logs will tell you what’s wrong (or, if we’re optimistic, what’s right!).

And these logs are quite important – because maybe all your inputs are correct, and SonarQube is whining because it finds an e-mail address that already exists. Definitely check these logs out when you attempt logins.

1 Like

Hi Colin,

Thanks for your feedback.

By changing sonar.log.level to DEBUG, I’m now able to see what’s the problem :

2020.09.30 12:10:53 DEBUG web[AXTefhsh8LeSUerMAAAL][auth.event] login failure [cause|Email ‘FirstName.Name@domain.local’ is already used][method|FORM][provider|REALM|LDAP][IP|11.11.11.11|][login|Name@domain.local]

The Email proprerty already exists in SonaQube and that’s true. I already have a lot of users registered through LDAP.

I just want to change ldap.user.request parameters previously set to

ldap.user.request=(&(objectClass=user)( sAMAccountName ={login}))

to

ldap.user.request=(&(objectClass=user)( UserPrincipalName ={login}))

without loosing et re-registering the current users.

Is it possible ?

Thank for your help.
Sebastien