Sonarqube group and LDAP group sync

Anil_Kumar3 · April 5, 2022, 6:21am

I am using sonarqube 8.9.7 version.
I am trying to do authentication using LDAP. we have 2 groups in LDAP one group is admin and another one is normal user.

sonar.security.realm = LDAP

# Set to true when connecting to a LDAP server using a case-insensitive setup.
 sonar.authenticator.downcase=true

# URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.
 ldap.url=ldap://<IP address>

# Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory (optional)
 ldap.bindDn=CN=BInd username ,CN=Users,DC=company name,DC=in
# Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory (optional)
ldap.bindPassword = BindPassword

# Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html (default: simp$
 ldap.authentication=simple

above one is for bind this is working fine.

ldap.user.baseDn=cn=Users,dc=CompanyName,dc=in

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=cn=Sonarusers,cn=Users,dc=companyName,dc=in)(memberOf=cn=SonarAdmin,cn=Users,dc=companyName,dc=in)))
 ldap.user.realNameAttribute=cn
 ldap.user.emailAttribute=mail

User access is also working fine giving access only to those groups.

ldap.group.baseDn=CN=Users,DC=companyName,DC=in

 ldap.group.request=(&(objectClass=posixGroup)(member={uid}))

# Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode. (default: cn)
ldap.group.idAttribute=sAMAccountName

This is group access

for this I am not able to configure things.

I have 2 groups in LDAP sonarUsers and sonarAdmin and created same group in Sonarqube and give
permission for sonarAdmin.

please help me to sync the groups.

Thanks in Advance

Colin · April 5, 2022, 8:15am

Hey there.

You can see if Group Mapping is working correctly (SonarQube can find the groups a user belongs to in AD) by turning on DEBUG level logs (Global Administration > System > Log Level), initating a login by an externally authenticated user and checking your web.log file.

2020.09.23 00:37:52 DEBUG web[AXS3YT9O4P5KvVE3AApT][o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider ‘[G_Group1, G_Group2]’

You’ll need to adjust your ldap.group.* settings until the proper list of groups is returned.

Anil_Kumar3 · April 5, 2022, 8:35am

Hi Colin

Thanks for your reply.

I tried debug level i got

[o.s.s.a.UserRegistrarImpl] List of groups returned by the identity provider '[]'

How can I get groups?

Colin · April 5, 2022, 8:55am

Hey there.

This is telling you that the inputs supplied for your ldap.group.* configuration isn’t returning any groups.

The ldap.group.baseDn, ldap.group.request, and ldap.group.idAttribute configured will need to capture all groups where you want membership synced in SonarQube.

Please note that there is no specific SonarQube logic here, or any of the values supplied for LDAP integration – the values of ldap.group.baseDn and ldap.group.request are simply transferred over to a Java implementation of ldapsearch. It should, in fact, be possible for you yourself to plug your LDAP configuration values into ldapsearch and see if the results are as expected.

These values will be highly specific to your LDAP configuration, so won’t be able to help you much in configuring those values.

Anil_Kumar3 · April 5, 2022, 11:47am

I found the solution
the problem was with filter
ObjectClass was wrong

system · April 12, 2022, 11:48am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.