Copy Page

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account. You can also Sign Up for a new account.

<table class="wysiwyg-macro" data-macro-name="unmigrated-inline-wiki-markup" data-macro-parameters="atlassian-macro-output-type=BLOCK" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e3VubWlncmF0ZWQtaW5saW5lLXdpa2ktbWFya3VwOmF0bGFzc2lhbi1tYWNyby1vdXRwdXQtdHlwZT1CTE9DS30&amp;locale=en_GB&amp;version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{iframe:src=http://update.sonarsource.org/plugins/pam.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}</pre></td></tr></table><h1>Features</h1><p>The Sonar PAM Plugin enables the delegation of Sonar authentication to underlying PAM subsystem. The plugin works on *nix box with <strong>Pluggable Authentication Module (PAM)</strong>.</p><p>Only password-checking is done against PAM. Authorization (access control) is still fully managed in Sonar. A Sonar account must be created first for each new user wishing to use Sonar. The Sonar administrator should also assign the user to the desired groups in order to grant him necessary rights. If exists, the password in the Sonar account will be ignored as the external system password will override it.</p><h3>Works on</h3><table class="confluenceTable"><tbody><tr><th class="confluenceTh"><p>OS and Architecture</p></th><th class="confluenceTh"><p>Works</p></th></tr><tr><td class="confluenceTd"><p>Linux AMD64</p></td><td class="confluenceTd"><p><img class="emoticon emoticon-tick" data-emoticon-name="tick" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/check.png" alt="(tick)" title="(tick)" /></p></td></tr><tr><td class="confluenceTd"><p>Linux i386</p></td><td class="confluenceTd"><p><img class="emoticon emoticon-tick" data-emoticon-name="tick" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/check.png" alt="(tick)" title="(tick)" /></p></td></tr><tr><td class="confluenceTd"><p>Mac OS X PPC</p></td><td class="confluenceTd"><p><img class="emoticon emoticon-warning" data-emoticon-name="warning" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/warning.png" alt="(warning)" title="(warning)" /></p></td></tr><tr><td class="confluenceTd"><p>Solaris sparc</p></td><td class="confluenceTd"><p><img class="emoticon emoticon-warning" data-emoticon-name="warning" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/warning.png" alt="(warning)" title="(warning)" /></p></td></tr><tr><td class="confluenceTd"><p>Windows all flavours</p></td><td class="confluenceTd"><p><img class="emoticon emoticon-minus" data-emoticon-name="minus" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/forbidden.png" alt="(minus)" title="(minus)" /></p></td></tr></tbody></table><p><img class="emoticon emoticon-tick" data-emoticon-name="tick" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/check.png" alt="(tick)" title="(tick)" /> Works, tested<br /> <img class="emoticon emoticon-warning" data-emoticon-name="warning" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/warning.png" alt="(warning)" title="(warning)" /> Should work, not tested<br /> <img class="emoticon emoticon-minus" data-emoticon-name="minus" border="0" src="/s/en_GB/3278/15/_/images/icons/emoticons/forbidden.png" alt="(minus)" title="(minus)" />  Does not work</p><h1>Usage &amp; Installation</h1><ol><li>Install jpam<ol><li>Download jpam for your system from <a href="http://jpam.sourceforge.net/">here</a></li><li>Alternatively:<ol><li>Copy the jpam's native library following <a href="http://jpam.sourceforge.net/documentation/getting_started.html">these directions</a></li><li>Copy the jpam's native libray in <code>sonar/bin/&lt;your arch&gt;/lib</code></li></ol></li></ol></li><li>Install Sonar PAM plugin<ol><li>Place the jar plugin into the <code>/extensions/plugins</code> directory</li><li>Make sure that at least one user with global administration role exists in Sonar as well as in the external system</li><li><p>Configure <code>conf/sonar.properties</code>by adding and editing the following:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="borderStyle=dashed|title=sonar.properties" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6Ym9yZGVyU3R5bGU9ZGFzaGVkfHRpdGxlPXNvbmFyLnByb3BlcnRpZXN9&amp;locale=en_GB&amp;version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>#----------------------
# Sonar PAM Auth Plugin
#----------------------
sonar.security.realm: PAM

# Automatically create users (available since Sonar 2.0).
# When set to true, user will be created after successful authentication, if doesn't exists.
# The default group affected to new users can be defined online, in Sonar general settings. The default value is "sonar-users".
# Default is false.
# sonar.authenticator.createUsers: true
</pre></td></tr></table></li></ol></li><li><p>Restart Sonar and check logs for:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="borderStyle=dashed" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6Ym9yZGVyU3R5bGU9ZGFzaGVkfQ&amp;locale=en_GB&amp;version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>2012.11.24 20:32:34 INFO  org.sonar.INFO  Security realm: PAM
2012.11.24 20:32:34 INFO  org.sonar.INFO  Security realm started</pre></td></tr></table></li><li>Log in to Sonar</li></ol><h2>Known Issues</h2><h3>Crash using PAM winbind authentication (pam_winbind.so)</h3><p>In case of unsucessful login for wrong password/locked out account (wrong username does not produce the same issue) you may get this kind of error while using pam winbind authentication:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="borderStyle=dashed|title=pam_winbind.so error" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6Ym9yZGVyU3R5bGU9ZGFzaGVkfHRpdGxlPXBhbV93aW5iaW5kLnNvIGVycm9yfQ&amp;locale=en_GB&amp;version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>INFO   | jvm 1    | 2011/03/18 10:06:10 | *** glibc detected *** java: free(): invalid pointer: 0x00002aaadc000168 ***
INFO   | jvm 1    | 2011/03/18 10:06:10 | ======= Backtrace: =========
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libc.so.6[0x3b9527245f]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libc.so.6(cfree+0x4b)[0x3b952728bb]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so[0x2aaadaddc8f9]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so[0x2aaadaddee4c]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so(pam_sm_authenticate+0x304)[0x2aaadaddf9e4]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libpam.so.0(_pam_dispatch+0x277)[0x3b97e02dc7]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libpam.so.0(pam_authenticate+0x42)[0x3b97e026d2]
</pre></td></tr></table><p>In this case Sonar crashes and restart automatically.</p><p>As far as I understand it's a pam_winbind.so issue. I've found this workaround:</p><ol><li>Edit /etc/security/pam_winbind.conf:</li><li><p>Set Kerberos authentication:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="borderStyle=dashed|title=/etc/security/pam_winbind.conf" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6Ym9yZGVyU3R5bGU9ZGFzaGVkfHRpdGxlPS9ldGMvc2VjdXJpdHkvcGFtX3dpbmJpbmQuY29uZn0&amp;locale=en_GB&amp;version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
#debug = yes

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes

# authenticate using kerberos
krb5_auth = yes

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type = FILE

# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
</pre></td></tr></table></li></ol><h1>Change Log</h1><p><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2ppcmFpc3N1ZXM6YW5vbnltb3VzPXRydWV8dGl0bGU9UmVsZWFzZSAwLjJ8cmVuZGVyTW9kZT1zdGF0aWN8d2lkdGg9OTAwfGNvbHVtbnM9dHlwZTtrZXk7c3VtbWFyeTtwcmlvcml0eXx1cmw9aHR0cDovL2ppcmEuY29kZWhhdXMub3JnL3NyL2ppcmEuaXNzdWV2aWV3czpzZWFyY2hyZXF1ZXN0LXhtbC90ZW1wL1NlYXJjaFJlcXVlc3QueG1sP2ZpeGZvcj0xODk5OSZwaWQ9MTE5MTEmc29ydGVyL2ZpZWxkPXByaW9yaXR5JnNvcnRlci9vcmRlcj1ERVNDJnRlbXBNYXg9MTAwMH0&amp;locale=en_GB&amp;version=2" data-macro-name="jiraissues" data-macro-parameters="anonymous=true|columns=type;key;summary;priority|renderMode=static|title=Release 0.2|url=http://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor\=18999&amp;pid\=11911&amp;sorter/field\=priority&amp;sorter/order\=DESC&amp;tempMax\=1000|width=900"></p><p> </p><p><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2ppcmFpc3N1ZXM6YW5vbnltb3VzPXRydWV8dGl0bGU9UmVsZWFzZSAwLjF8cmVuZGVyTW9kZT1zdGF0aWN8d2lkdGg9OTAwfGNvbHVtbnM9dHlwZTtrZXk7c3VtbWFyeTtwcmlvcml0eXx1cmw9aHR0cDovL2ppcmEuY29kZWhhdXMub3JnL3NyL2ppcmEuaXNzdWV2aWV3czpzZWFyY2hyZXF1ZXN0LXhtbC90ZW1wL1NlYXJjaFJlcXVlc3QueG1sP2ZpeGZvcj0xNzI2MyZwaWQ9MTE5MTEmc29ydGVyL2ZpZWxkPXByaW9yaXR5JnNvcnRlci9vcmRlcj1ERVNDJnRlbXBNYXg9MTAwMH0&amp;locale=en_GB&amp;version=2" data-macro-name="jiraissues" data-macro-parameters="anonymous=true|columns=type;key;summary;priority|renderMode=static|title=Release 0.1|url=http://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor\=17263&amp;pid\=11911&amp;sorter/field\=priority&amp;sorter/order\=DESC&amp;tempMax\=1000|width=900"></p><p> </p><p> </p>