SonarQube v6.7.4
sonar-ldap 2.2.0
I have questions regarding the SonarQube integration with AD (LDAP Plugin). I have configured LDAP parameters as per the documentation. I have NOT configured any groups in AD and not provided any group mapping in sonar.properties.
AD authentication works and when the user logs in to SonarQube, he is assigned in group sonar-users by-default (which is expected). Now, in SonarQube, I have assigned admin privilege to this user i.e. added him to sonar-administrators group. I have no such group defined in AD and as per the documentation (which says - “Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database.”), I was expecting that once the user will log-in to SQ again, he will be removed from sonar-administrators group. But that does not happen. User remains assigned in sonar-administrators group. Why is this so ? Is this because I have not provided any group mapping in sonar.properties ?
If this is the expected behavior, then why should I even create groups in AD ? I can let my sonar.properties as-is (i.e. without any group mapping) and assign users to any groups I want later (admin or lead), once they log-in for the first time. I know that configuring groups in AD (& providing group mapping in sonar.properties) would keep both AD and SQ in-sync and would avoid any manual group assignments in SQ, but when I am dealing with small number of users and when AD configuration is not really in my control, I can manage with this. But is this expected behavior or a defect/loop-hole ?