Restrict login access to Sonarqube based on LDAP Group

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Version 10.1 (build 73491)
  • how is SonarQube deployed: zip, Docker, Helm
    zip
  • what are you trying to achieve
    LDAP is setup. anyone in LDAP can login to SQ Server (security concern). I need to limit login to one or two groups in LDAP only.
    I need to limit access to “sq-group” only.
  • what have you tried so far to achieve this
    I followed Restrict access to Sonarqube based on LDAP Group Membership?.
    Is there syntax error in config (I got Authentication failed).

Anyone in LDAP can login with this:
LDAP configuration

sonar.security.realm=LDAP
ldap.url=ldap://xxx.adcorp.company.com
ldap.bindDn=CN=loginaccount,CN=Users,DC=adcorp,DC=company,DC=com
ldap.bindPassword=secret

User Configuration
ldap.user.baseDn=DC=adcorp,DC=company,DC=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

Group Configuration
ldap.group.baseDn=CN=Users,DC=adcorp,DC=company,DC=com
ldap.group.idAttribute=cn
ldap.group.request=(&(objectClass=group)(memberUid={uid}))

When I change to:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=sq-group,OU=groups,DC=adcorp,DC=company,DC=com))

Authentication failed

sq-group is a Global group in domain.

Hey there.

You’re on the right path configuring ldap.user.request.

And, I think it will be hard for somebody to help who doesn’t intimately undestand your AD setup. Here’s a few tips:

  • This page](LDAP Filter Syntax) is quite helpful in understanding LDAP queries
  • SonarQube’s LDAP integration is just a java wrapper around ldapsearch, which is useful for trying out LDAP queries.