Sonarqube not switching quickly to second ldap Server

Hi all,

I am using two LDAP servers (xxxx.xxxx.xxxx.x / yyyy.yyyy.yyyy.y), and currently, xxxx.xxxx.xxxx.x is linked to SonarQube and running.
I am trying to improve the setup so that if xxxx.xxxx.xxxx.x goes down, LDAP authentication will be performed through yyyy.yyyy.yyyy.y.
Both xxxx.xxxx.xxxx.x and yyyy.yyyy.yyyy.y contain the same AD information.

After adding the above configuration to <SONARQUBE_HOME>/conf/sonar.properties, I started SonarQube, and both servers showed ‘test OK’ in the SonarQube logs.

...
ldap.servers=default,sub
ldap.default.url=ldap://xxxx.xxxx.xxxx.x
...
ldap.sub.url=ldap://yyyy.yyyy.yyyy.y
...
2024.10.03 15:xx:xx INFO web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://xxxx.xxxx.xxxx.x: OK
2024.10.03 15:xx:xx INFO web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://yyyy.yyyy.yyyy.y: OK

After that, I tested whether it would switch to yyyy.yyyy.yyyy.y and perform authentication by cutting off communication between the Container running SonarQube and xxxx.xxxx.xxxx.x.
However, it took more than 10 minutes for the authentication to fail on xxxx.xxxx.xxxx.x, and during that time, the Web UI displayed a 504 error.
it seems that the LDAP authentication is proceeding in the background, as it eventually results in a ‘login success’.

2024.10.03 15:20:16 DEBUG web[<hidden>][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=****,OU=****,OU=****,DC=****,DC=****, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://xxxx.xxxx.xxxx.x, java.naming.security.authentication=simple}
2024.10.03 15:33:30 DEBUG web[<hidden>][o.s.a.l.DefaultLdapAuthenticator] User u12345 not found in server <default>: javax.naming.NamingException: LDAP connection has been closed; remaining name 'OU=****,OU=****,DC=****,DC=****'
2024.10.03 15:33:30 DEBUG web[<hidden>][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=OU=****,OU=****,DC=****,DC=****, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[u12345], attributes=null}
2024.10.03 15:33:16 DEBUG web[<hidden>][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=****,OU=****,OU=****,DC=****,DC=****, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://yyyy.yyyy.yyyy.y, java.naming.security.authentication=simple}
++++++++++
2024.10.03 15:33:16 DEBUG web[<hidden>][auth.event] login success[method|BASIC][provider|REALM|ldap][IP|****.****.****.****|****.****.****.****, ****.****.****.****][login|u12345] 

Is it possible to change the timeout duration for LDAP authentication failure within SonarQube?

(Additional note:

  • Due to project circumstances, I am unable to transfer the logs, so I am picking out only the necessary logs.
  • Since the LDAP is managed by a different organization, I am unable to make any changes to the LDAP server settings.
  • This post is translated by deepl.)

sonarqube version

versions: sonarqube 9.9.0 community
SonarQube deployed: Docker compose

Hey there.

Check this thread:

Hello. Thank you for your prompt reply.

I have already checked this thread and I understand that sonarqube is not designed to connect to multiple LDAP servers in a failover model.

I understand that using a reverse proxy, as mentioned in this post, can solve the problem,
Do you have any documentation that you could share that would be helpful?

I have no specific advice. Googling “2 LDAP servers behind proxy” has some promising results.

https://www.reddit.com/r/PFSENSE/comments/nfsayn/how_to_set_multiple_ldap_servers_on_ha_proxy/

Thank you for your reply.
I’ll take a look at these posts for reference.

2 Likes