Hi all,

we have a completely weird problem with SonarQube LDAP.
We are using version 10.0 developer edition.

The problem is: some users can login via LDAP and some can not. The error message they get is that their password does not match.

We are usingthe LDAP function of an AD and they can log in without problems with their AD password to other tools in our company only sonar fails constantly.

Our sonar LDAP is configured as following:
sonar.security.realm=LDAP
ldap.url=ldap://ourLDAP.server:389
ldap.bindDn=CN=ldap readuser,OU=ourSubGroup,OU=primary group,DC=example,DC=local
ldap.bindPassword=GEHEIM
ldap.authentication=simple
sonar.security.localUsers=admin,wurzel

User Configuration

ldap.user.baseDn=OU=ourSubGroup,OU=primary group,DC=example,DC=local
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn

In the sonarlog i find following error:
2023.04.18 09:27:01 DEBUG web[AYck3vH9ZLA1s0jTAZcO][o.s.a.l.DefaultLdapAuthenticator] Password not valid for user CN=mein User,OU=ourSubGroup,OU=primary group,DC=example,DC=local in server default: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 532, v4563^@]

Can someone help please?

Greetings,
Marja

Hi Marja,

This looks like a question of your LDAP configuration.

Searching on the error message landed me me on StackOverflow.

 
HTH,
Ann

Hello Ann,

hmm, your Link deals with any javacode. We do not use or configure any javacode.
We only use and configure sonar.properties.

Also in your link they wrote, one has to use user@domain. This does not work at all in our config.
The strange thing is, some user can login with only username and their password, others can not neither with username/password nor with username@domain/password, they all are getting the wrong creentials error.
In the meantime i made an ldapsearch (obviously sonar does not make other things than an ldapsearch) with the credentials of the binduser and quistioning the mentioned user alwasy failing in sonar.
This is our ldapsearch (made from the server on which sonar is running on):
ldapsearch -x -b"OU=OU=ourSubgroup,OU=main group,DC=domain,DC=local" -H ldap://ldapserver.local -D “CN=my binduser,OU=ourSubgroup,OU=main group,DC=domain,DC=local” “(&(objectClass=user)(sAMAccountName=a.name))” -w SECRET

Well ldapsearch worked like a charm. I was getting full results.

In the meantime we commented the simple connection in Sonar Config (ldap.authentication=simple). It seems when simple method is on, only giving username as login is not accepted.

We cloned the non working LDAP account and tried it with this account and i was able to log in.
Quite strange since the only difference is that the cloned account has a new password.

Hi Marja,

So you’ve worked through this, then?

If not, you’ll need to get with your LDAP administrator.

 
HTH,
Ann