Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension):- * Version 9.9.3 (build 79811)
• how is SonarQube deployed: zip, Docker, Helm : ZIP
• what are you trying to achieve: Trying to add another group in LDAP
• what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

Hi

We have more than 200 projects in sonar qube which has access through “Sonar-Users” group created in AD and mapped with LDAP. All the users can browse all the projects.

What we want is there 10-15 project which can be access by business users and people in Soanr users group. But anyone from business users should not be able to access any other project (except those 10-15 projects).

I tried to create Security group call business user and also created permissions template and applied to the business user group. Make one project private and apply the permissions template.

That works fine business user can access it but they can access other projects as well as we have to add those users in Sonar user group to access sonar qube through LDAP.

Can we have multiple member group in

""ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com))

Or if there is any other way to implement above?
Sonar user should be able to access all 230 projects
but business users only 10 projects

Thanks
Sunil Bindra

Hey there.

You’re really talking about two different things here.

ldap.user.request is used for LDAP integration and specifies who is allowed to login to the SonarQube instance. If Force User Authentication is enabled (by default it is), only people who login to your SonarQube instance can see any information at all.

Project Permissions is more or less unrelated.

It sounds like you need at least two groups (Sonar-Users who have Browse permission on all private projects), and a group for your business users, who only have Browse access to the 10 private projects they should

In simple terms: I think you need to make all your projects private, and then manage permissions from there.

Thanks Colin
Sorry for confusion. Yes I need to groups, my next confusion is where we will specify to authenticate other user. As if you seen in above settings only member is Sonar-Users. Can we add 2 groups comma separated or CN names.

You’ll want to use OR syntax.

for example:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(| (memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

Hi Colin
I tried above.
We create

1. one new AD group named “Business-Users” with 5 users.
2. Update the setting as mention above.
   3.Added new group “Business-Users” as child of “SonarQube_users”.
3. restart the Sonar Qube.

When I logged in again as I am part of Admin, I cant see these user under security. Is there any thing we are doing wrong. If we add any user directly to SonarQube-user that works fine, but that doesnt fullfill the requirement.

Any suggestions please

Thanks
Sunil

Two points:

• You should make sure you’ve configured group synchronization correctly
• Users will have to log in again to refresh their group membership in SonarQube

This is all separate from ldap.user.request, which just controls who can login to your SonarQube server.

I Have tried 2 things one is using user mapping, which only works with SOnarQube_users but not with our new AD Group “Business-Users”. Number of users in admin section remains same

Configuration for USer Mapping is
ldap.user.baseDn=DC=bluebayinvest,DC=com

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

I tried Group Mapping as well like this, Sonar Qube does not load after this:-

ldap.group.baseDn=cn=BlueBay Groups,DC=bluebayinvest,DC=com

ldap.group.request=(&(objectClass=group)(|(CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(CN=Business-users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

image1415×294 7.65 KB

Hi Colin,
We have tried multiple options such as the one you have mentioned but doesn’t work for us. Tried similar conventions used in this forum but unfortunately did not work and came back with Authentication failed. Active Directory Nested Groups - SonarQube - Sonar Community (sonarsource.com)

I have zipped the config please do help us to resolve the issue.
sonar.zip (7.9 KB)

Hey there.

Nested Groups is another concept I really don’t think applies here.

You’re trying to accomplish two things:

• Limit who can sign into your SonarQube server, which is controlled by ldap.user.request. It sounds like you’ve accomplished that.
• Have users assigned to groups on login, which will be controlled by ldap.group.*

You can turn up the log level (sonar.log.level=DEBUG) in your conf/sonar.properties file to learn more about the specific LDAP queries being made when your users try to login, and what is returned (like which groups).

I don’t know anything about your LDAP server or how your directory is structured, so there’s not much help I can provide there. Our LDAP integration is just a Java implementation of ldapsearch, so you should be able to pass your configuration there if you have trouble figuring out what the right values for ldap.* are.

Keep in mind that users will only be added to groups once they’ve logged in (after group mapping is configured). Once group mapping is working, you should not expect to see all member immediately added to groups until they login.

Hi Colin,

Thanks for your response. I have enabled logging too but could not narrow down what’s going wrong there.

We have an AD Group called SonarQube Users. It works with below:
ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com))

Recently we added a new Group in SonarQube called Business-Users for which we have created an AD Group. Using the above with the below modification does not work for existing users too who are part of sonarqube as its an OR condition.

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

Could you please let me know what am I missing there?

#--------------------------------------------------------------------------------------------------

LDAP CONFIGURATION

sonar.security.realm=LDAP

sonar.authenticator.downcase=true

ldap.url=ldap://bluebayinvest.com:389

ldap.bindDn=CN=SvcPrdSonarQube,OU=ServiceAccounts,OU=BlueBay Groups,DC=bluebayinvest,DC=com

ldap.bindPassword={aes-gcm}qqAUL6EA4l0/Dv/ydjRtmC3thuMdhWaupPJ1jTIWMre3jnRcJVdYykwuFFs=

ldap.user.baseDn=DC=bluebayinvest,DC=com

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

You need to be more specific about what you mean by “does not work for existing users”

Sorry.

I am part of SonarQube Users AD Group which is an existing LDAP connection made with sonar-users but I dont exist in Business Users AD Group. The below configuration makes me unauthorised to SonarQube. Could you tell whats going wrong there with that OR condition if I remove OR condition it works:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=CN=SonarQube_Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)(memberOf=CN=Business-Users,OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com)))

I’m really not an expert in this syntax – SonarQube is just performing ldapsearch queries. I suggest, if you’re having trouble constructing your configuration, to remove SonarQube from the picture and use ldapsearch directly to refine your query.

Hi Colin, now we are a step further. We got all users from two AD Groups using the below settings but the problem we have at the moment is all the users from both AD groups go into the default group within SonarQube as sonar-users. How do we separate them into a separate group within SonarQube as business-users instead of going into sonar-users. Any suggestion on how to go about fixing this please?

ldap.user.baseDn=OU=London,DC=bluebayinvest,DC=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.group.baseDn=OU=DL’s and Security Groups,OU=BlueBay Groups,DC=bluebayinvest,DC=com
ldap.group.request=(&(objectClass=group)(|(cn=SonarQube_Users)(cn=Business-users))(member={dn}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
ldap.group.idAttribute=cn

Hey there.

You can’t prevent users from ending up in the sonar-users group. All users belong to that group. That probably means it isn’t a very useful group for you to use to delegate permissions.

If Group Mapping is working correctly (meaning ldap.group.request and ldap.group.idAttribute are set correctly), and you have groups on your SonarQube instance named the same as your AD Groups, then the membership should sync when your users login. As I mentioned before:

You can verify what groups are being returned by your LDAP server in the logs when your users try to login.

Those logs look like this:

2019.08.14 17:13:00 DEBUG web[AWwLkym9Roi/vbL+Aral][o.s.s.a.UserIdentityAuthenticator] List of groups returned by the identity provider '[Group1, Group2]' 2019.08.14 17:13:00 DEBUG web[AWwLkym9Roi/vbL+Aral][auth.event] login success [method|BASIC][provider|REALM|LDAP][IP|10.248.82.143|][login|username]