Unable to set quality of protection on LDAP DIGEST-MD5

Hi!

For the last couple of months, ldap has stopped working for us. If we have ldap enabled, it failes with javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09027F, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839 ]

Our previously ldap configuration that was working:

sonar.security.realm=LDAP
ldap.url=ldap://domain:389/
ldap.bindDn=CN=User A,OU=UserA,OU=41-ServiceAccounts,OU=A-Users,OU=Org,DC=utvikling,DC=local
ldap.bindPassword=***
ldap.user.baseDn=OU=A-Users,OU=Org,DC=utvikling,DC=local
ldap.user.request=(&(objectclass=user)(samaccountname={login}))

I suspect that this started to fail because of changes in ldap policies in my organisation. I tried to upgrade to ldaps, but this is currently not supported in our domain.
I then tried to change authentication to DIGEST-MD5, but no luck and the same error occured.

After reading some more about DIGEST-MD5 (https://docs.oracle.com/javase/jndi/tutorial/ldap/security/digest.html), i noticed that you should be able to set integrity protection on the authentication (javax.security.sasl.qop). I could not find any property in the SonarQube config to set the integrity protection, but I was able to try it out in Apache Directory Studio (with the same setup as in SonarQube). When I changed to “Authentication with integrity protection” in ADS the authentication worked!

My question: Is it possible to set this property in the SonarQube ldap configuration? And if not, is it possible to include this configuration in the future?

By my understanding of Java, I would like to set the Sasl.QOP property to “auth-int”

My current config now looks like this:

#sonar.security.realm=LDAP (disabled for now)
ldap.bindDn=UsernameA
ldap.bindPassword=****
ldap.user.baseDn=OU=A-Users,OU=Org,DC=utvikling,DC=local
ldap.user.request=(&(objectclass=user)(samaccountname={login}))
ldap.authentication=DIGEST-MD5
ldap.realm=utvikling
#would like to set ldap.sasl.op = auth-int

SonarQube Version: 8.3.1.34397

Thanks
Christian

I have tried to set integrity protection with
sonar.web.javaAdditionalOpts=-Djavax.security.sasl.qop=auth-int -Djavax.security.sasl.strength=medium, but with no luck.

With the DEBUG log, I get this:

2020.11.13 16:10:46 DEBUG web[][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=UserName, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://domain:389, java.naming.security.authentication=DIGEST-MD5}
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] SASLIMPL01:Preferred qop property: null
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] SASLIMPL02:Preferred qop mask: 1
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] SASLIMPL03:Preferred qops : 1 
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] SASLIMPL04:Preferred strength property: null
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] SASLIMPL05:Cipher strengths: 4 2 1 
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] DIGEST60:Explicitly specified cipher: null
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] DIGEST11:Directive qop = auth,auth-int,auth-conf
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] DIGEST11:Directive cipher = 3des,rc4
2020.11.13 16:10:46 DEBUG web[][javax.security.sasl] DIGEST11:Directive algorithm = md5-sess

I would loved to change this part: qop = auth,auth-int,auth-conf to qop = auth-int..

It won’t work passing as java opts properties as these properties supposed to be passed to ldap context as it can be seen in an example in the link you have provided.

Such property could be added to ldap properties configuration, I’ve created a ticket to track this: https://jira.sonarsource.com/browse/SONAR-14222

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.