Question regarding SonarQube integration with AD


(Ankur) #1

SonarQube v6.7.4
sonar-ldap 2.2.0
I have questions regarding the SonarQube integration with AD (LDAP Plugin). I have configured LDAP parameters as per the documentation. I have NOT configured any groups in AD and not provided any group mapping in
AD authentication works and when the user logs in to SonarQube, he is assigned in group sonar-users by-default (which is expected). Now, in SonarQube, I have assigned admin privilege to this user i.e. added him to sonar-administrators group. I have no such group defined in AD and as per the documentation (which says - “Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database.”), I was expecting that once the user will log-in to SQ again, he will be removed from sonar-administrators group. But that does not happen. User remains assigned in sonar-administrators group. Why is this so ? Is this because I have not provided any group mapping in ?

If this is the expected behavior, then why should I even create groups in AD ? I can let my as-is (i.e. without any group mapping) and assign users to any groups I want later (admin or lead), once they log-in for the first time. I know that configuring groups in AD (& providing group mapping in would keep both AD and SQ in-sync and would avoid any manual group assignments in SQ, but when I am dealing with small number of users and when AD configuration is not really in my control, I can manage with this. But is this expected behavior or a defect/loop-hole ?

(Scott) #2

It’s expected (I’m not a SonarSource employee, just a long-time user). You don’t need to sync groups with AD, you can manage them only inside SonarQube if you prefer.

(Julien Lancelot) #3


It’s up to you to decide if you want that groups synchronization are done by LDAP, or if you want it to do it manually.
Everything is explained in the documentation :

Julien Lancelot