Restrict access to users who do not belong to certain LDAP groups

wicope · December 13, 2019, 8:02am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
latest
what are you trying to achieve
what have you tried so far to achieve this

  - sonar.security.realm=LDAP
  - ldap.url=ldap://192.168.12.58:389
  - ldap.bindDn=cn=DevOps Administrator,ou=people,dc=tuleap,dc=local
  - ldap.bindPassword=xxx
  - ldap.user.baseDn=ou=people,dc=tuleap,dc=local
  - ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
  - ldap.user.realNameAttribute=cn
  - ldap.user.emailAttribute=mail
  - ldap.group.baseDn=ou=groups,dc=tuleap,dc=local
  - ldap.group.request=(&(objectClass=posixGroup)(|(cn=sonar-administrators)(cn=sonar-users))(memberUid={uid}))

# test, groups, tuleap.local
dn: cn=test,ou=groups,dc=tuleap,dc=local
objectClass: posixGroup
gidNumber: 10002
cn: test
memberUid: test

# test test, people, tuleap.local
dn: cn=test test,ou=people,dc=tuleap,dc=local
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
homeDirectory: /home/test
uid: test
cn: test test
uidNumber: 10003
gidNumber: 10002
sn: test
givenName: test
mail: test@prpm.org
userPassword:: xxx

Log in with user test:

I can enter sonarqube, this is a bug, because the test user does not belong to the groups allowed to enter (| (cn = sonar-administrators) (cn = sonar-users))

the openldap logs says:
in the first user search it gives “err = 0 nentries = 1”
in the second search of that user’s group it gives “err = 0 nentries = 0”, that is, no entry.

So why do you enter sonarqube if open-ldap don’t find any entry?

ldap            | 5df34001 conn=2107 op=9 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=test))"
ldap            | 5df34001 conn=2107 op=9 SRCH attr=mail cn
ldap            | 5df34001 conn=2107 op=9 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34001 conn=2107 op=10 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=test))"
ldap            | 5df34001 conn=2107 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34001 conn=2110 fd=26 ACCEPT from IP=172.19.0.1:47982 (IP=0.0.0.0:389)
ldap            | 5df34001 conn=2110 op=0 BIND dn="cn=test test,ou=people,dc=tuleap,dc=local" method=128
ldap            | 5df34001 conn=2110 op=0 BIND dn="cn=test test,ou=people,dc=tuleap,dc=local" mech=SIMPLE ssf=0
ldap            | 5df34001 conn=2110 op=0 RESULT tag=97 err=0 text=
ldap            | 5df34001 conn=2107 op=11 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=test))"
ldap            | 5df34001 conn=2107 op=11 SRCH attr=uid
ldap            | 5df34001 conn=2107 op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34001 conn=2110 op=1 UNBIND
ldap            | 5df34001 conn=2110 fd=26 closed
ldap            | 5df34001 conn=2107 op=12 SRCH base="ou=groups,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=posixGroup)(|(cn=sonar-administrators)(cn=sonar-users))(memberUid=test))"
ldap            | 5df34001 conn=2107 op=12 SRCH attr=cn
ldap            | 5df34001 conn=2107 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text=

This user works fine, has the group cn = sonar-administrators and enters as administrator in sonarqube.

# sonar-administrators, groups, tuleap.local
dn: cn=sonar-administrators,ou=groups,dc=tuleap,dc=local
objectClass: posixGroup
gidNumber: 10003
cn: sonar-administrators
memberUid: devops_admin


# DevOps Administrator, people, tuleap.local
dn: cn=DevOps Administrator,ou=people,dc=tuleap,dc=local
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
homeDirectory: /home/devops_admin
uid: devops_admin
cn: DevOps Administrator
uidNumber: 10000
sn: DevOps Administrator
givenName: DevOps Administrator
mail: devops_admin@prpm.org
userPassword:: xxx
gidNumber: 10003

ldap            | 5df34024 conn=2107 op=13 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=devops_admin))"
ldap            | 5df34024 conn=2107 op=13 SRCH attr=mail cn
ldap            | 5df34024 conn=2107 op=13 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34024 conn=2107 op=14 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=devops_admin))"
ldap            | 5df34024 conn=2107 op=14 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34024 conn=2111 fd=26 ACCEPT from IP=172.19.0.1:48412 (IP=0.0.0.0:389)
ldap            | 5df34024 conn=2111 op=0 BIND dn="cn=DevOps Administrator,ou=people,dc=tuleap,dc=local" method=128
ldap            | 5df34024 conn=2111 op=0 BIND dn="cn=DevOps Administrator,ou=people,dc=tuleap,dc=local" mech=SIMPLE ssf=0
ldap            | 5df34024 conn=2111 op=0 RESULT tag=97 err=0 text=
ldap            | 5df34024 conn=2107 op=15 SRCH base="ou=people,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=inetOrgPerson)(uid=devops_admin))"
ldap            | 5df34024 conn=2107 op=15 SRCH attr=uid
ldap            | 5df34024 conn=2107 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap            | 5df34024 conn=2111 op=1 UNBIND
ldap            | 5df34024 conn=2111 fd=26 closed
ldap            | 5df34024 conn=2107 op=16 SRCH base="ou=groups,dc=tuleap,dc=local" scope=2 deref=3 filter="(&(objectClass=posixGroup)(|(cn=sonar-administrators)(cn=sonar-users))(memberUid=devops_admin))"
ldap            | 5df34024 conn=2107 op=16 SRCH attr=cn
ldap            | 5df34024 conn=2107 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=

julienlancelot · December 16, 2019, 1:58pm

The group setting is not a way to restrict if a user can authenticate or not, it’s the information that will be used to know in which group the user belongs.

You need to play with the user setting in order to restrict user access to SonarQube.

wicope · December 18, 2019, 7:47am

thanks for the reply.

Many other applications can filter by groups. It is a pity that you can not sonarqube.

You cannot filter in the user because there is only one primary group called “gidNumber”, that is, it could only be filtered by that primary group.

Example of failure: a user is part of the sonar-administrators group and that user does not have the sonar-administrators group as the primary group.

Therefore, we must filter by “memberUid” groups in which all the members of the group are. The group request is and works (ldap.group.request).

“I think” that group filter does not work because before it has authenticated with the user and it works well. You should authenticate with the user and wait for the group filter, if the two cases do well, then you are allowed to enter.

julienlancelot · December 18, 2019, 3:01pm

Just to be clear : as explain in the documentation, group mapping feature is only a way to synchronize groups from LDAP to SonarQube.
It was never designed to be used to prevent authentication.

What you’re asking for is a new feature.

mconway72 · January 20, 2021, 12:58am

@wicope @julienlancelot

A new feature is not required. You can restrict SonarQube access based on a specific LDAP/AD group membership by restricting the user-filter option on the ldap.user.request:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-group,OU=groups,DC=example,DC=com))