- version used: Community Edition Version 7.6 (build 21501) [Docker]
- error observed: permissions are not enforced
- steps to reproduce: see below
- potential workaround: none
Sonarqube 7.6 integrated with Active Directory
sonar.properties:
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://<ldaphost>
ldap.bindDn=CN=sonar,OU=Users,OU=MyBusiness,DC=Company,DC=local
ldap.bindPassword=secret
ldap.user.baseDn=OU=Users,OU=MyBusiness,DC=Company,DC=local
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
ldap.group.baseDn=OU=Security Groups,OU=MyBusiness,DC=Company,DC=local
ldap.group.request=(&(objectClass=group)(member={dn}))
ldap.group.idAttribute=cn
sonar.forceAuthentication=true
We have the following Groups and they also exist in AD
Note: Sorry couldn’t post multiple images, so please see it in the single image at the bottom of this post
And these are the users
Note: Sorry couldn’t post multiple images, so please see it in the single image at the bottom of this post
All simple
Initially we wanted to only authenticate users that belonged in AD groups:
sonar-analysers, sonar-developers, sonar-administrators groups. (sonar-)
But it looks like we can’t do that, so we have no choice but to allow any AD authenticated user to login to sonar. (PS, we couldn’t get nested groups working either, so we flattened the users in sonar- groups)
If this is not true, please advise how it is possible to restrict to certain groups
as this setting didn’t work
ldap.group.request=(&(objectClass=group)(|(cn=sonar-analysers)(cn=sonar-developers)(cn=sonar-administrators))(member={dn}))
To work around that limitation, we decided to remove all permissions from sonar-users and here are our default template
Note: Sorry couldn’t post multiple images, so please see it in the single image at the bottom of this post
As can be seen, sonar-users have no permissions granted.
And here’s the global permissions
Note: Sorry couldn’t post multiple images, so please see it in the single image at the bottom of this post
The user F in Active Directory does not belong to any of the sonar-* groups
yet the user is authenticated in sonar, and is in sonar-users group
Fine,
However this particular user is able to
- Run Project Analysis
- Browse Projects
- And Even see the Code
How is that possible?
Is this a bug or a misconfiguration on our part?
Thanks