SonarQube LDAP authentication is not working

2.8k views Asked by At

Presently, connecting to Apache Directory Server 2.0 from SonarQube 5.0.1. Have given the following entries in sonar.properties file:

# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.security.savePassword=false
ldap.url=ldap://10.53.67.11:30389

# User Configuration
ldap.user.baseDn=o=TechMahindra
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

# Group Configuration
ldap.group.baseDn=cn=sonar-users,ou=groups,ou=devops,o=TechMahindra
ldap.group.request=(&(objectClass=groupOfNames)(member={dn}))
ldap.group.idAttribute=cn

With these entries authentication does not work for any user.

Note 1: "Enable Access Control" option is checked in the Apache Directory Server.

Note 2: However, if the above mentioned "Enable Access Control" option is not checked in the Apache Directory Server, authentication works. And, authorization does not work in that case - that is - all users are able to login into SonarQube irrespective of whether the user is part of the sonar-users group in LDAP or not.

1

There are 1 answers

0
Mahesh On BEST ANSWER
  • "Enable Access Control" is for authorization to access the LDAP Directory Information Tree (and not for authorization of the application). I discovered this later.
  • For application level authorization, attributes like memberOf or isMemberOf are used.
  • Apache Directory Server does not support the memberOf or isMemberOf attribute as on the date of writing this content.
  • Hence, I used OpenLDAP for the purposes and used the memberOf attribute (overlay, in other terms) by adding the same to the slapd.conf file.

    overlay memberof
    
  • Modified code used for authentication / authorization is given below:

    # LDAP configuration
    # General Configuration
    sonar.security.realm=LDAP
    sonar.security.savePassword=false
    ldap.url=ldap://10.53.67.8:389/
    ldap.bindDn=o=techmahindra
    ldap.bindPassword=secret
    
    # User Configuration
    ldap.user.baseDn=o=techmahindra
    ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login})(memberOf=cn=sonar-users,ou=groups,ou=devops,o=techmahindra))
    ldap.user.realNameAttribute=cn
    ldap.user.emailAttribute=mail
    
    # Group Configuration
    ldap.group.baseDn=ou=groups,ou=devops,o=techmahindra
    ldap.group.request=(&(objectClass=groupOfNames)(cn=sonar-users)(member={dn}))
    ldap.group.idAttribute=cn