Synchronize group membership not working

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve
  • what have you tried so far to achieve this

We are running version 8.9.7 Community Edition.
Our end goal is to user our LDAP groups to define who are administrators are in SonarQube. We want to remove the manual process of going into SonarQube to define (add or remove) administrative users.

I found this documentation - Delegating Authentication | SonarQube Docs but it doesn’t seem to explain how to set this up.

I then found this community page LDAP Group Mapping setup - SonarQube - Sonar Community (sonarsource.com) and tweeked my ldap settings, but I still do not get any results.

My setup:

  • I create a group in SonarQube called SQ Admins.
  • In my LDAP I have group called SQ Admins which about 10 users in it including my account.
  • My LDAP group settings:

Group Configuration

ldap.group.baseDn=ou=production group,ou=mydepartment,dc=aaa,dc=bbb,dc=ccc
ldap.group.request=(&(objectclass=groupOfNames)(member={dn}))
ldap.group.idAtrribute=cn

After restarting SQ and looking at the group I still see 0 members.

I am not seeing anything in the logs related to this issue.

Hi,

Welcome to the community!

Is there anything interesting in your server logs when you log in?

 
Ann

Ann,

I am not seeing anything in the logs. I stop SonarQube, cleaned up all logs, started SonarQube and then logged in. I see no mention of even trying to read LDAP groups. Not sure if there is a specific logging level to enable or not but I am getting nothing.

Hi,

What does your web.log show when you log in with LDAP?

 
Ann

Hi,

I just see some basic LDAP information: (redacted key information)

2022.10.24 15:27:21 INFO  web[][org.sonar.INFO] Security realm: LDAP
2022.10.24 15:27:21 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{my user mapping}
2022.10.24 15:27:21 INFO  web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{my group mapping}
2022.10.24 15:27:21 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldaps://myldaphost:ldapport: OK

I do not see any logs related to my specific user or groups that I’m in.

Hi,

Can you - temporarily - bump your server logging up to DEBUG and log in again?

 
Ann

Ann,

I bumped all log level to DEBUG, restarted the application and logged in. I do not see anything related to the LDAP groups.

Is there something specific I should be looking for? I am not seeing any errors but also no processing of groups.

Tom

Hi Tom,

Once you put your logging at DEBUG level, you should see in web.log something like this:

2019.08.14 17:13:00 DEBUG web[AWwLkym9Roi/vbL+Aral][o.s.s.a.UserIdentityAuthenticator] List of groups returned by the identity provider '[Group1, Group2]' 2019.08.14 17:13:00 DEBUG web[AWwLkym9Roi/vbL+Aral][auth.event] login success [method|BASIC][provider|REALM|LDAP][IP|10.248.82.143|][login|username]

If you don’t see the groups you expect in that logging, then it’s a question of your LDAP configuration.

There is no specific SonarQube logic here, or any of the values supplied for LDAP integration – the values of ldap.group.baseDn and ldap.group.request are simply transferred over to a Java implementation of ldapsearch. It should, in fact, be possible for you to plug your LDAP configuration values into ldapsearch and see if the results are as expected (that your configuration would return InfoDir-XACT-SonarQube-View for the user in question).

The fact that you’re not seeing any group-related logging makes me wonder if your configuration is set correctly and in the right place. When you restarted SonarQube after setting the group configuration, did you do it via the UI, or commandline? A UI restart isn’t a ‘full’ restart. You need to fully shut SonarQube down from the commandline to have the properties re-read.

 
HTH,
Ann

Ann,

Thanks for the help. We still do not have this working and have been working on the ldapsearch for some time.We finally dug a bit deeper and found out that After we start SonarQube and log in there are no ldapsearch calls made to our LDAP server. This was confirmed by our LDAP administrator. The call that was made was bind and then the connection was closed which we do see in the SonarQube logs.

One thought I had is that we do use SSO for our user authentication. I need to dig into the documentation but do you know if using SSO negates the group mapping feature?

Hi,

I’m confused. Users are authenticated with SSO? Then where is LDAP supposed to come in?

Group synchronization happens with LDAP because when the user authenticates, a list of groups is sent back from LDAP. If users aren’t authenticating with LDAP, then LDAP is never going to send that list back.

LDAP integration isn’t simply a “look up extra user data” service. It’s authentication first and the rest is gravy.

 
HTH,
Ann