Restricting login to users from a specific LDAP/AD group

This is expected behaviour. With the LDAP Plugin SonarQube fully delegates authentication to your LDAP/AD server. If you wish authentication to be denied based on group membership then you need to check with your AD owners how that could be achieved (knowing that all you’re configuring on your side is the set of baseDn and request).

Another (maybe more simple) approach would be to leverage permissions to lock-out any access to sensitive data: basically adjust permissions so that any user belonging only to sonar-users group would effectively have no permission at all over existing projects.

While using LDAP/AD authentication, we managed to restrict SonarQube access to a specific LDAP/AD group by restricting the user-filter option on the ldap.user.request:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-sonar-users,OU=groups,DC=example,DC=com))

More on LDAP filters you can find here.

thank you! that worked.