Restrict access to Sonarqube based on LDAP Group Membership?

I am running Sonarqube 8.6.0.39681 on Windows Server 2016 with the built-in LDAP plugin.

I have LDAP working, as new users are able to log into Sonarqube with their domain credentials and create an account, but I would like to restrict access based on a specific group membership in AD. Unfortunately, all users on the domain are able to login at this time, as I have been unable to restrict access by AD user group membership. I have no interest in Group Mapping at this time, simply would like to find the LDAP string for LDAP user configuration that looks for a specific group membership in AD and then grants access if the user is a member or denies if the user is not a member. The following is my LDAP configuration in the properties file:

#----- LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://ldap.domain.com:3268
ldap.bindDn=serviceaccount@ad.domain.com
ldap.bindPassword=********

# User Configuration
ldap.user.baseDn=dc=ad,dc=domain,dc=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

RESOLVED

You can restrict SonarQube access based on a specific LDAP/AD group membership by restricting the user-filter option on the ldap.user.request:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-group,OU=groups,DC=example,DC=com))

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.