Users Unable to Authenticate with LDAP Again

SonarQube Server / Community Build
1

Hello, we are self-hosting the free version of Sonarqube v8.4.1. We have two users who seem unable to sign-in using their latest username/password combos. While most users seem to sign-in without trouble and no changes have been made to the instance. Our authentication is backed by LDAP, they can sign into other apps using these LDAP credentials, but are denied to Sonarqube. We have a non-production instance where the users can sign-in no issue, so the issue is isolated to Production only. We’ve tried deactivating the one of the users, deleting them from the database, restarting Sonarqube, changing his password, but he still cannot sign in. When he attempts to sign-in it re-adds him to the database.

Has anyone experienced this issue before? Is there an internal bug ticket for our version perhaps? Does anyone know how to begin troubleshooting it? Is there anyway we can manipulate the database to manually change his password?

Any help is appreciated, thanks,
Brandon

2

Hi Brandon,

What shows up in your server logs (probably web.log) when these users try to authenticate?

 
Ann

3

They get a generic auth failure. The strange part is that they can sign into non-prod just fine and they can sign in using old passwords. So it seems like Production is NOT syncing new Ldap credentials. Is there a way to force it to?

Thanks,
Brandon

4

Hi Brandon,

I’m not sure what you mean by ‘syncing’. LDAP authentication sends a request to LDAP with each login attempt. Can you possibly be pointing at an old/non-production LDAP?

 
Ann

5

Hi Ann,
I’ve attached some web.log lines referencing the n0169128 user. We see “LDAP: error code 49 - Invalid Credentials” but also “User n0169128 not found” so not sure what’s going on there. He is in the “users” database table with no duplicates, so not sure how to “refresh” his ID. Our LDAP settings seem fine because nothing has changed there recently, and other users are unaffected.

n0169128_sonar_logs.json (7.4 KB)

Thanks for your help,
James

6

Hi James,

When I strain the logs out of the JSON, I get this:

2021.11.19 10:46:41 INFO  web[][o.a.t.u.h.Parameters] Invalid chunk starting at byte [0] and ending at byte [9] with a value of [=n0169128] ignored\\n Note: further occurrences of Parameter errors will be logged at DEBUG level.\n
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|LDAP][IP|10.225.33.122|10.8.5.34, 10.8.5.34][login|N0169128]\n
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapAuthenticator] User N0169128 not found
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapAuthenticator] Password not valid for user uid=n0169128,ou=People,o=Liberty,o=Intranet in server <default>: [LDAP: error code 49 - Invalid Credentials]
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=uid=n0169128,ou=People,o=Liberty,o=Intranet, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldaps://ldapsintprd-01.lmig.com:636, java.naming.security.authentication=simple}
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=o=Intranet, scope=subtree, request=(&(objectClass=inetOrgPerson)(uid={0})), parameters=[N0169128], attributes=null}
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=o=Intranet, scope=subtree, request=(&(objectClass=inetOrgPerson)(uid={0})), parameters=[N0169128], attributes=[mail, displayName]}
2021.11.18 14:22:40 DEBUG web[AX0ex+0b0nWMBxuTEjsc][o.s.a.l.LdapUsersProvider] Requesting details for user N0169128
2021.11.18 14:22:15 DEBUG web[AX0ex+0b0nWMBxuTEjqb][auth.event] login failure [cause|Realm returned authenticate=false][method|FORM][provider|REALM|LDAP][IP|10.225.32.121|10.8.5.34, 10.8.5.34][login|n0169128]
2021.11.18 14:22:15 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapAuthenticator] User n0169128 not found
2021.11.18 14:22:15 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapAuthenticator] Password not valid for user uid=n0169128,ou=People,o=Liberty,o=Intranet in server <default>: [LDAP: error code 49 - Invalid Credentials]
2021.11.18 14:22:15 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, java.naming.security.principal=uid=n0169128,ou=People,o=Liberty,o=Intranet, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldaps://ldapsintprd-01.lmig.com:636, java.naming.security.authentication=simple}
2021.11.18 14:22:14 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=o=Intranet, scope=subtree, request=(&(objectClass=inetOrgPerson)(uid={0})), parameters=[n0169128], attributes=null}
2021.11.18 14:22:14 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=o=Intranet, scope=subtree, request=(&(objectClass=inetOrgPerson)(uid={0})), parameters=[n0169128], attributes=[mail, displayName]}
2021.11.18 14:22:14 DEBUG web[AX0ex+0b0nWMBxuTEjqb][o.s.a.l.LdapUsersProvider] Requesting details for user n0169128

And what I get from that is that LDAP itself is saying the credentials are invalid. So… a couple questions come to mind:

  • the user really logs in with username n0169128?
  • has the user set a password that includes non-UTF-8 characters?

 
Ann