Upgrade SonarQube Developer from 8.9 to 9.9.3 LDAP issues

JoaquinSilvaRCCL · January 29, 2024, 5:47pm

Make sure to tell us:

What version are you upgrading from?
SonarQube 8.9 developer
System information (Operating system, Java version, Database provider/version)
k8s 1.24.6 - Java 17.0.9 - external AWS PostgreSQL
What’s the issue you’re facing?

The connection to the LDAP server is ok but then I cannot log in with the Active Directory users.

2024.01.29 12:40:28 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=DC=local,DC=domain,DC=my, request=(userPrincipalName={0}), realNameAttribute=displayname, emailAttribute=mail}
2024.01.29 12:40:28 INFO  web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=DC=local,DC=domain,DC=my, idAttribute=sAMAccountName, requiredUserAttributes=[dn], request=(&(objectClass=group)(member={0}))}
2024.01.29 12:40:28 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://my.domain.local: OK

Error:

2024.01.29 12:42:23 DEBUG web[AY1VPI6KSmO5XvMDAAA9][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=DC=local,DC=domain,DC=my, scope=subtree, request=(userPrincipalName={0}), parameters=[johndoe@mydomain.com], attributes=null}
2024.01.29 12:42:23 DEBUG web[AY1VPI6KSmO5XvMDAAA9][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=CN=ldapuser,OU=IT,DC=local,DC=domain,DC=my, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://mydoamin.com, java.naming.security.authentication=simple}
2024.01.29 12:42:23 DEBUG web[AY1VPI6KSmO5XvMDAAA9][o.s.a.l.DefaultLdapAuthenticator] User johndoe@mydomain.com not found in server <default>: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090CF4, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563]; remaining name 'DC=local,DC=domain,DC=my'
2024.01.29 12:42:23 DEBUG web[AY1VPI6KSmO5XvMDAAA9][o.s.a.l.DefaultLdapAuthenticator] User johndoe@mydomain.com not found
2024.01.29 12:42:23 DEBUG web[AY1VPI6KSmO5XvMDAAA9][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|ldap][IP|172.16.18.26|172.16.98.64][login|johndoe@mydomain.com]

Same configuration works Ok for version 8.9:

sonarProperties:
  ldap.user.realNameAttribute: displayname
  sonar.authenticator.downcase: true
  sonar.security.realm: LDAP
  ldap.url: ldap://mydoamin.com
  ldap.bindDn: CN=ldapuser,OU=IT,DC=local,DC=domain,DC=my
  ldap.group.baseDn: DC=local,DC=domain,DC=my
  ldap.user.baseDn: DC=local,DC=domain,DC=my
  ldap.user.request: (userPrincipalName={login})
  ldap.group.request: (&(objectClass=group)(member={dn}))
  ldap.group.idAttribute: sAMAccountName

env:
  - name: ldap.bindPassword
    valueFrom:
      secretKeyRef:
        name: ldap-password
        key: ldap-bindpassword

What could I do to authenticate with my LDAP server as I did with version 8.9?
Thank you.

ganncamp · January 30, 2024, 9:33pm

Hi,

Are you 100% sure you’re using exactly the same LDAP properties as before? Because here’s the root cause:

Generally, the best way to deal with LDAP connection problems is to debug them in a dedicated LDAP client and then transfer the successful properties into your SonarQube configuration.

Ann

JoaquinSilvaRCCL · January 31, 2024, 12:27pm

Ann thanks for your response. Yes, I am sure that the configuration is correct because it is an exact copy of the one I am currently using in prod with SonarQube 8.9.
Also because initially I get the “Test LDAP connection on ldap://my.domain.local: OK”

If I set the “ldap.bindPassword” to plain text within the sonarProperties it works, but I can’t leave it that way in production. I need the password from the Secret.
If I send from the ssh console I do not have the “ldap.bindPassword” feature either.
I’ve tried setting the Secret inside “sonarSecretProperties” but I’m not sure of the proper syntax.

Thanks.

ganncamp · January 31, 2024, 1:53pm

Hi,

Thanks for the confirmation. I suspect this is down to changes in the Helm chart, but I don’t know what specifically. I’m going to flag this for more expert eyes.

Ann

JoaquinSilvaRCCL · January 31, 2024, 2:38pm

Ann, I suspect so, that it is due to some changes in the values.yaml related to previous versions. I didn’t find anything in the official documentation that can help me.
I would really appreciate it if you could consult with another set of eyes.

Thank you very much for your help.

JoaquinSilvaRCCL · January 31, 2024, 9:01pm

I found the solution. I found how to pass the secret variable to the ldap.bindPassword of the sonar.properties.
I needed to add the “env” to take the variable.

env:
  - name: ldap_bindPassword
    valueFrom:
      secretKeyRef:
        name: ldap
        key: password

sonarProperties:
  ldap.user.realNameAttribute: displayname
  sonar.authenticator.downcase: true
  sonar.security.realm: LDAP
  ldap.url: ldap://mydoamin.com
  ldap.bindDn: CN=ldapuser,OU=IT,DC=local,DC=domain,DC=my
  ldap.group.baseDn: DC=local,DC=domain,DC=my
  ldap.user.baseDn: DC=local,DC=domain,DC=my
  ldap.user.request: (userPrincipalName={login})
  ldap.group.request: (&(objectClass=group)(member={dn}))
  ldap.group.idAttribute: sAMAccountName
  ldap.bindPassword: ${env:ldap_bindPassword}

Thanks. Joaquín.

ganncamp · February 1, 2024, 1:38pm

Hi Joaquin,

Thanks for the followup! I’ll ask about getting this added to the docs.

Ann

system · February 13, 2024, 8:20am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.