Compatibility matrix
| Apache DS | OpenLDAP | OpenDS | Active Directory |
|---|---|---|---|---|
Anonymous |
|
|
|
|
Simple |
|
|
|
|
LDAPS |
|
|
|
|
DIGEST-MD5 |
|
|
|
|
CRAM-MD5 |
|
|
|
|
GSSAPI |
|
|
|
|
- means that it was tested
Description
The Sonar LDAP Plugin enables the delegation of Sonar authentication to an external system. The plugin currently supports LDAP and Microsoft Active Directory.
Only password-checking is done against the external system. Authorization (access control) is still fully managed in Sonar. That’s why LDAP or Active Directory users do not automatically have access to Sonar. A Sonar account must be created first for each new user wishing to use Sonar. The Sonar administrator should also assign the user to the desired groups in order to grant him necessary rights. If exists, the password in the Sonar account will be ignored as the external system password will override it.
Usage & Installation
- Download the plugin from Update Center and restart server. If you don't have access to Internet, then manually download JAR file into $SONAR_HOME/extensions/plugins and restart server.
- Make sure that at least one user with global administration role exists in Sonar as well as in the external system
Configure conf/sonar.properties by adding and editing the following:
conf/sonar.propertiesRestart the Sonar server and check the log file for:
INFO org.sonar.INFO Authentication plugin: class com.teklabs.sonar.plugins.ldap.LdapAuthenticator INFO org.sonar.INFO Authentication plugin started
- Log in to Sonar
Auto-discovery
Here is description of how auto-discovery works:
- Determining DNS Domain Name:
- from "ldap.realm" property if set
- from FQDN of machine, where Sonar installed (eg. if FQDN is "sonar.example.org", then DNS Domain Name will be "example.org")
- Determining URL of LDAP server:
- from "ldap.url" property if set
from DNS server ( see known limitations ), here is example of SRV Record for domain "example.org":
_ldap._tcp.example.org. 72784 IN SRV 0 5 389 ldap.example.org.
for this domain URL of LDAP server will be "ldap://ldap.example.org:389"
- Determining BaseDN:
- from "ldap.baseDn" property if set
- from DNS Domain Name (eg. if DNS Domain Name is "example.org", then BaseDN will be "dc=example,dc=org")
Authentication Methods
- Simple
Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a cleartext password over the network. - Anonymous
Used when only needs read-only access to non-protected entries and attributes when binding to the LDAP server. - CRAM-MD5
The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195). - DIGEST-MD5
This is an improvement on the CRAM-MD5 authentication method (RFC 2831). - GSSAPI
GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.
For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.
Known limitations
Auto-discovery takes into account only one SRV record.
Troubleshooting
You can enable debug logging by adding the following to conf/logback.xml:
Changelog
5 Comments
Hide/Show CommentsJul 30, 2010
Evgeny Mandrikov
Muhammad Yahia, thank you for notification.
Aug 12, 2010
Roman Arkadijovych Muntyanu
+1 to successful plug-in setup with active directory.
Several comments though.
Oct 01, 2010
Anders Hammar
For backup LDAP servers, I believe that specifying several provider urls separated with a space should work (for the ldap.url property). Maybe someone could confirm this and update that docs if it is the case?
Oct 01, 2010
Evgeny Mandrikov
Andes,
I do confirm that this wouldn't work.
Oct 01, 2010
Simon Brandhof
Anders, can you file an issue in JIRA please ?