Problems Switching to LDAPS

Hi Sonar Community,

Currently we are using the latest version of SonarQube Community Edition: v9.4.0.54424 and we are having troubles switching from LDAP to LDAPS.

Tried to read all similar posts about users having issues, but don’t seem to get it to work… We have little java-based applications running so could be I’m missing something.

By the end of the month my organisation will block:

  • LDAP SASL over 389 using without a signing request
  • LDAP Simple bind over 389

What still will be allowed:

  • LDAP SASL over 389 supporting signing requests
  • LDAP using STARTTLS over 389
  • LDAPS (SSL) over 636
    Same for their counterparts global catalog ports

:+1: Working current LDAP configuration: [sonar.properties]

sonar.security.realm=LDAP
ldap.bindDn=<service_account_username>
ldap.bindPassword=<verified_password_is_accurate>
sonar.authenticator.downcase=true
ldap.url=ldap://be.mycompany.com:3268

:-1: Imported root & computer certificate to [C:\Program Files\Java\jdk-11.0.13\lib\security\cacerts] with the help of KeyStore Explorer. Tried making the switch to LDAPS as follows, which is failing …

sonar.security.realm=LDAP
ldap.bindDn=<service_account_username>
ldap.bindPassword=<verified_password_is_accurate>
sonar.authenticator.downcase=true
ldap.url=ldaps://be.mycompany.com:3269
ldap.StartTLS=false

Tried other configurations as well: Removing portnumber, StartTLS to True instead of false, downcase statement true / false,
Also added following statement which doesn’t make a difference:
sonar.web.javaAdditionalOpts=-javaagent:./extensions/plugins/sonarqube-community-branch-plugin-1.10.0.jar=web -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

SonarQube Windows Service always stops, giving following debug information, any help would be appreciated. Or easy tools to debug LDAP connections…

Attached [web.log] file, which ran in DEBUG mode:
20220518_SonarQube_LDAPS_Issues.web.log (666.8 KB)

Hi,

Welcome to the community!

This is what I see in the log you attached:

Caused by: org.sonar.auth.ldap.LdapException: Unable to open LDAP connection
Caused by: javax.naming.CommunicationException: simple bind failed: be.mycompany.com:3269`

Googling the second Caused by gets me to this:

The issue happens due to missing SSL certificates in the JRE keystore.

For an LDAPS or HTTPS connection, the java runtime needs to use the respective SSL certificate for creating a secured connection with the server at the other end.

 
HTH,
Ann

Thanks a lot Ann,

We’ve managed to get the LDAPS Connection succesfully working with the following configuration:

sonar.security.realm=LDAP
ldap.bindDn=service account
ldap.bindPassword=service account password
sonar.authenticator.downcase= false
ldap.url=ldaps://servername_domaincontroller.be.mycompany.com:3269

Combining both ldaps and configuration key:

ldap.StartTLS=true

results in an error, either one of those options should be chosen.

1 Like