Multiple OU groups in LDAP

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension):- * Version 9.9.3 (build 79811)
  • how is SonarQube deployed: zip, Docker, Helm : ZIP
  • what are you trying to achieve: Trying to add another group in LDAP
  • what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi

We have more than 200 projects in sonar qube which has access through “Sonar-Users” group created in AD and mapped with LDAP. All the users can browse all the projects.

What we want is there 10-15 project which can be access by business users and people in Soanr users group. But anyone from business users should not be able to access any other project (except those 10-15 projects).

I tried to create Security group call business user and also created permissions template and applied to the business user group. Make one project private and apply the permissions template.

That works fine business user can access it but they can access other projects as well as we have to add those users in Sonar user group to access sonar qube through LDAP.

Can we have multiple member group in

""ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com))

Or if there is any other way to implement above?
Sonar user should be able to access all 230 projects
but business users only 10 projects

Thanks
Sunil Bindra

Hey there.

You’re really talking about two different things here.

ldap.user.request is used for LDAP integration and specifies who is allowed to login to the SonarQube instance. If Force User Authentication is enabled (by default it is), only people who login to your SonarQube instance can see any information at all.

Project Permissions is more or less unrelated.

It sounds like you need at least two groups (Sonar-Users who have Browse permission on all private projects), and a group for your business users, who only have Browse access to the 10 private projects they should

In simple terms: I think you need to make all your projects private, and then manage permissions from there.

Thanks Colin
Sorry for confusion. Yes I need to groups, my next confusion is where we will specify to authenticate other user. As if you seen in above settings only member is Sonar-Users. Can we add 2 groups comma separated or CN names.

You’ll want to use OR syntax.

for example:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(| (memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

Hi Colin
I tried above.
We create

  1. one new AD group named “Business-Users” with 5 users.
  2. Update the setting as mention above.
    3.Added new group “Business-Users” as child of “SonarQube_users”.
  3. restart the Sonar Qube.

When I logged in again as I am part of Admin, I cant see these user under security. Is there any thing we are doing wrong. If we add any user directly to SonarQube-user that works fine, but that doesnt fullfill the requirement.

Any suggestions please

Thanks
Sunil

Two points:

  • You should make sure you’ve configured group synchronization correctly
  • Users will have to log in again to refresh their group membership in SonarQube

This is all separate from ldap.user.request, which just controls who can login to your SonarQube server.

I Have tried 2 things one is using user mapping, which only works with SOnarQube_users but not with our new AD Group “Business-Users”. Number of users in admin section remains same

Configuration for USer Mapping is :-1:
ldap.user.baseDn=DC=bluebayinvest,DC=com

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

I tried Group Mapping as well like this, Sonar Qube does not load after this:-

ldap.group.baseDn=cn=BlueBay Groups,DC=bluebayinvest,DC=com

ldap.group.request=(&(objectClass=group)(|(CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(CN=Business-users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))