Hello everyone,
I’ve deployed SonarQube with a helm chart inside an on-prem K8S cluster and so far I’ve been specifying every sonar property under the sonarProperties list inside the Helm chart. But now I’m trying to integrate LDAP authentication and I would like to specify the bindDN and bindPassword arguments inside a secret that I will pass on to the sonarSecretProperties argument.
The way I went about this is I created a file called secret.properties with the two key-value pairs:
ldap.bindDN=my-bind-dn
ldap.bindPassword=my-password
After that I ran the command: k create secret generic sonar-binddn --from-file=secret.properties -n sonarqube Then I specified the secret in my helm chart like so:
sonarProperties:
sonar.log.level: DEBUG
ldap.StartTLS: false
# Start of LDAP Configuration
sonar.security.realm: LDAP
ldap.url: ldaps://mycompany.com
# The LDAP Bind credentials
# ldap.bindDn: -> provided via the secret specifid in the sonarSecretProperties
# ldap.bindPassword -> provided via the secret specifid in the sonarSecretProperties
# User Configuration
ldap.user.baseDn: <ou with all my users>
ldap.user.request: (&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute: cn
ldap.user.emailAttribute: mail
# Group Sync Configuration
ldap.group.baseDn: <ou in which my synched groups are>
ldap.group.request: (&(objectClass=group)(member={dn}))
ldap.group.idAttribute: sAMAccountName
# Additional sonar properties to load from a secret with a key "secret.properties" (must be a string)
sonarSecretProperties: sonar-binddn
When I deploy the helm chart with the updated values.yaml file everything starts correctly, but I can’t login using accounts from the LDAP server. I logged into the pod to see if everything is fine in the opt/sonarqube/conf/sonar.properties file and I see the ldap.bindDn and ldap.bindPassword properties at the bottom of the file:
*** Every other sonar property that I hardcoded via the sonarProperties list ***
ldap.bindDN=my-bind-dn
ldap.bindPassword=my-password
When I try and hardcode the bind user and password in the chart via the commented out lines from the values.yaml file that I provided above I can authenticate with no problems using domain accounts, but when I transfer these two arguments to the secret sonar-binddn, the authentication fails.
I also reviewed the logs when SonarQube starts and I receive a successful connection to my LDAP server:
INFO web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldaps://mycompany.com: OK
These are the errors I see after an unsuccessful login when the bindDn and bindPassword arguments are stored inside the kubernetes secret:
DEBUG web[87387c20-35dd-4c66-bb98-2b90653b6eed][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldaps://mycompany.com, java.naming.security.authentication=simple}
DEBUG web[87387c20-35dd-4c66-bb98-2b90653b6eed][o.s.a.l.DefaultLdapAuthenticator] User <my-user> not found in server <default>: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09091F, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]; remaining name <my-user-ou>
DEBUG web[87387c20-35dd-4c66-bb98-2b90653b6eed][o.s.a.l.DefaultLdapAuthenticator] User <my-user> not found
DEBUG web[87387c20-35dd-4c66-bb98-2b90653b6eed][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|ldap][IP|<IP-1>|<IP-2>][login|<my-user>]
I’m wondering is there something that I’m missing in this configuration?