LDAPS connection fails where LDAP succeeds

Template for a good bug report, formatted with Markdown:

  • Versions used (SonarQube, Scanner, Plugin, and any relevant extension)
    dockerized SonarQube 8-community
  • Error observed (wrap logs/code around triple quote ``` for proper formatting)
    Server will not start when LDAP connection is to Global LDAPS port 3269
2020.04.07 01:44:40 INFO  web[][o.s.s.s.LogServerId] Server ID: REDACTED
2020.04.07 01:44:40 INFO  web[][org.sonar.INFO] Security realm: LDAP
2020.04.07 01:44:40 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=dc=corporate,dc=local, request=(&(objectClass=user)(objectCategory=Person)(cn={0})), realNameAttribute=cn, emailAttribute=mail}
2020.04.07 01:44:40 INFO  web[][o.s.a.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2020.04.07 01:44:41 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection: FAIL
2020.04.07 01:44:41 ERROR web[][o.s.s.p.Platform] Background initialization failed. Stopping SonarQube
org.sonar.api.utils.SonarException: Security realm fails to start: Unable to open LDAP connection
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:93)
	at org.sonar.core.platform.StartableCloseableSafeLifecyleStrategy.start(StartableCloseableSafeLifecyleStrategy.java:40)
	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.start(AbstractInjectionFactory.java:84)
	at org.picocontainer.behaviors.AbstractBehavior.start(AbstractBehavior.java:169)
	at org.picocontainer.behaviors.Stored$RealComponentLifecycle.start(Stored.java:132)
	at org.picocontainer.behaviors.Stored.start(Stored.java:110)
	at org.picocontainer.DefaultPicoContainer.potentiallyStartAdapter(DefaultPicoContainer.java:1016)
	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1009)
	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:135)
	at org.sonar.server.platform.platformlevel.PlatformLevel.start(PlatformLevel.java:90)
	at org.sonar.server.platform.platformlevel.PlatformLevel4.start(PlatformLevel4.java:555)
	at org.sonar.server.platform.PlatformImpl.start(PlatformImpl.java:213)
	at org.sonar.server.platform.PlatformImpl.startLevel34Containers(PlatformImpl.java:187)
	at org.sonar.server.platform.PlatformImpl.access$500(PlatformImpl.java:46)
	at org.sonar.server.platform.PlatformImpl$1.lambda$doRun$0(PlatformImpl.java:120)
	at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.runIfNotAborted(PlatformImpl.java:370)
	at org.sonar.server.platform.PlatformImpl$1.doRun(PlatformImpl.java:120)
	at org.sonar.server.platform.PlatformImpl$AutoStarterRunnable.run(PlatformImpl.java:354)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.sonar.auth.ldap.LdapException: Unable to open LDAP connection
	at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:215)
	at org.sonar.auth.ldap.LdapRealm.init(LdapRealm.java:63)
	at org.sonar.server.user.SecurityRealmFactory.start(SecurityRealmFactory.java:87)
	... 19 common frames omitted
Caused by: javax.naming.CommunicationException: Connection or outbound has closed
	at java.naming/com.sun.jndi.ldap.LdapCtx.extendedOperation(Unknown Source)
	at java.naming/javax.naming.ldap.InitialLdapContext.extendedOperation(Unknown Source)
	at org.sonar.auth.ldap.LdapContextFactory.createInitialDirContext(LdapContextFactory.java:120)
	at org.sonar.auth.ldap.LdapContextFactory.createBindContext(LdapContextFactory.java:96)
	at org.sonar.auth.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:211)
	... 21 common frames omitted
Caused by: java.net.SocketException: Connection or outbound has closed
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(Unknown Source)
	at java.base/java.io.BufferedOutputStream.flushBuffer(Unknown Source)
	at java.base/java.io.BufferedOutputStream.flush(Unknown Source)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
	at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
	at java.naming/com.sun.jndi.ldap.LdapClient.extendedOp(Unknown Source)
	... 26 common frames omitted
2020.04.07 01:44:41 DEBUG web[][o.s.s.p.Platform] Background initialization of SonarQube done
2020.04.07 01:44:41 INFO  web[][o.s.p.ProcessEntryPoint] Hard stopping process
2020.04.07 01:44:41 DEBUG web[][o.s.s.a.TomcatAccessLog] Tomcat is stopped

, but succeeds using Global LDAP 3268

2020.04.07 01:49:22 INFO  web[][o.s.s.s.LogServerId] Server ID: REDACTED
2020.04.07 01:49:22 INFO  web[][org.sonar.INFO] Security realm: LDAP
2020.04.07 01:49:22 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=dc=corporate,dc=local, request=(&(objectClass=user)(objectCategory=Person)(samAccountName={0})), realNameAttribute=cn, emailAttribute=mail}
2020.04.07 01:49:22 INFO  web[][o.s.a.l.LdapSettingsManager] Groups will not be synchronized, because property 'ldap.group.baseDn' is empty.
2020.04.07 01:49:22 DEBUG web[][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=cn=ldapanon,ou=Service Accounts,ou=Universal,dc=corporate,dc=local, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.sasl.realm=dc=corporate,dc=local, java.naming.provider.url=ldap://ldap-vip.example.com:3268, java.naming.security.authentication=simple}
2020.04.07 01:49:22 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://ldap-vip.example.com:3268: OK
2020.04.07 01:49:22 INFO  web[][org.sonar.INFO] Security realm started
  • Steps to reproduce
    Startup script calls docker run ... with environment variables and over-rides to handle bug [SONAR-13272] - Jira
docker run -d -it --name sonarqube --restart=unless-stopped --stop-timeout 3600 \
  --ulimit nofile=65536 --ulimit nproc=65536 \
  -v $SONARQUBE_HOME/conf:/opt/sonarqube/conf \
  -v $SONARQUBE_HOME/extensions:/opt/sonarqube/extensions \
  -v $SONARQUBE_HOME/logs:/opt/sonarqube/logs \
  -v $SONARQUBE_HOME/data:/opt/sonarqube/data \
  -e SONAR_JDBC_USERNAME=sonar \
  -e SONAR_JDBC_PASSWORD=sonar \
  -e SONAR_JDBC_URL=jdbc:postgresql://REDACTED:5432/sonarqube \
  -e SONAR_SECURITY_REALM=LDAP \
  -e SONAR_AUTHENTICATOR_DOWNCASE=true \
  -p 9000:9000 sonarqube:8.2-community \
  -Dldap.url=ldap://ldap-vip.example.com:3268 \
  -Dldap.realm=dc=corporate,dc=local \
  -Dldap.bindDn='cn=ldapanon,ou=Service Accounts,ou=Universal,dc=corporate,dc=local' \
  -Dldap.bindPassword='Anonymous@' \
  -Dldap.user.baseDn=dc=corporate,dc=local \
  -Dldap.user.request='(&(objectClass=user)(objectCategory=Person)(samAccountName={login}))' \
  -Dldap.user.realNameAttribute=cn \
  -Dldap.user.emailAttribute=mail

Someone on my team suggested the ldaps connection is failing due to rejection of self-signed certificate. Would there be a way to allow ignoring certificate authentication?

Further analysis is disturbing, I’ve actually copied our root certificate into the container certificate storage, but I’m still unable to make a connection to our ldaps://ldap.example.com:3269 server. I’m attaching a log (TRACE level) hoping to isolate the failure. The startup script also has an added line setting -Dldap.StartTLS=truesonar_ldaps_trace.log.txt (74.3 KB)

Hi,

Sorry for the late reply, have you tried to use ldap.StartTLS=true ?

Regards

Thanks, issue resolved by injecting keystore in custom docker image

Perfect, thanks for sharing how you’ve solved your issue !

Hi mark,

I am facing similar issue when using the ldaps in the conf file. could you help me pls?
Not able to connect to LDAPS. With the standalone sonarqube (not docker) am able to use the SSL.