Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{iframe:src=http://update.sonarsource.org/plugins/ldap.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}
Info
iconfalse
titleTable of Contents

Table of Contents

Compatibility Matrix

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it has been successfully tested

Description

Note

This is the documentation for plugin version 1.1 and greater. Documentation for version prior to 1.1 is located on separate page. Instructions for migration can be found here.

...

Description / Features

This plugin allows the delegation of SonarQube authentication and authorization to LDAP and/or Microsoft Active Directory.

The main features of the plugin are:

  • Password checking against the external authentication engine.
  • Automatic synchronization of usernames and emails.
  • Automatic synchronization of the relationships between users and groups (authorization).
  • Ability to authenticate the user against both against the external or and the internal authentication systems (for instance, technical Sonar SonarQube user accounts have no do not need for instance to be defined in the LDAP server)

...

  • as there is an automatic fallback on SonarQube engine if the user is not defined in LDAP or if the LDAP server is down).

During the first authentication trial, if the password is correct, the Sonar DB SonarQube database is automatically populated with the new Sonar user. Moreover, each Each time a user logs into SonarSonarQube, the username, the email and the groups this user belongs to that are automatically refreshed in the Sonar DB.

About the delegation of authorization, there is only one pre-requisite: the relationships between users and groups are only synchronized with groups which are already defined in the Sonar. So groups and related permissions must be first defined in Sonar.

Usage & Installation

...

SonarQube database.

Requirements

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it has been successfully tested

Include Page
Include - Plugin Installation
Include - Plugin Installation

Usage

  1. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/sonar.properties file (see belowtable below)

  2. Restart the Sonar SonarQube server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP
    ...

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  3. Log into Sonarinto SonarQube

Anchor
Configuration
Configuration
General Configuration

PropertyDescriptionDefault valueMandatoryExample
sonar.security.realm

This property must be defined to ask the Sonar server to use first the LDAP plugin when trying to authenticate a user. (available since Sonar 2.14)

 

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.

None

Yes

LDAP (no other value can be usedonly possible value)
sonar.security.savePassword
This optional property can be used to ask Sonar to To save the user password in the Sonar DB. When this property is activated, a user can log into Sonar SonarQube database. Then, users will be able to log into SonarQube even when the LDAP server is not available. (available since Sonar 2.14)reachable.
false
No 
sonar.authenticator.createUsers

By default, the

Sonar DB

SonarQube database is automatically populated when a new

Sonar

user logs into

Sonar

SonarQube. Setting this value to false,

make

makes it mandatory for a

Sonar

System administrator to first declare a user

in the Sonar DB

through the SonarQube web interface before allowing this user to log into

Sonar

SonarQube.

true
No 
sonar.security.updateUserAttributes

If set to true, at each login, user's attributes (name and email) are re-synchronized. If set to false, user's attributes are not re-synchronized.

Note that if set to false, user's attributes are synchronized just once, at the very first login.

Available since SonarQube 3.6.

true
No 
sonar.authenticator.downcaseSet to true when connecting to a LDAP server using a case-insensitive setup.falseNo 
ldap.url
URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into java the Java truststore. None

Yes

(Not mandatory in case of Auto-discovery)

ldap://localhost:10389
ldap.bindDn
Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory. NoneNocn=sonar,ou=users,o=mycompany
ldap.bindPassword
Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory. NoneNosecret
ldap.authentication
Possible values: 'simple', ' | CRAM-MD5', ' | DIGEST-MD5', 'GSSAPI'. See   | GSSAPI
See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html
simpleNosee description 
ldap.realm
 NoneNoexample.org
ldap.contextFactoryClass
(advanced option) Context factory class.com.sun.jndi.ldap.LdapCtxFactoryNo 

User Mapping

(&(objectClass=inetOrgPerson)(uid={login}))
(&(objectClass=user)(sAMAccountName={login}))
objectClassldap.user.
PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users. None

Yes

(Not mandatory in case of Auto-discovery)

cn=users,dc=example,dc=org
ldap.user.request(available since plugin

LDAP user request.

Available since version 1.2

)

.

No Format
No
No Format
ldap.user.Deprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Object class of LDAP users.inetOrgPersonNouser
ldap.user.loginAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Attribute in LDAP holding the user’s login.uidNosAMAccountName
realNameAttributeAttribute in LDAP holding defining the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP holding defining the user’s email.mailNo 

Group Mapping

The following properties should Only groups are supported (not roles). Only static groups are supported (not dynamic groups).

For the delegation of authorization, groups must be first defined in SonarQube. Then, the following properties must be defined to allow Sonar SonarQube to automatically synchronized synchronize the relationships between users and groups.

There are two limitations:

  • Groups must be static and not dynamic
  • The user entry must contain the attribute 'memberOf' with list of groups

Yes in version 1.1.1

No in version 1.2, if you want to disable synchronization of groups.
(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
(&(objectClass=group)(member={dn}))
PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups. NoneNocn=groups,dc=example,dc=org
ldap.group.request(available since plugin

LDAP group request.

Available since version 1.2

)

.

No Format
No
No Format
ldap.group.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Object class of LDAP groups.groupOfUniqueNamesNogroupldap.group.idAttributeAttribute in LDAP holding defining the group's id.cnNo 

Example of LDAP Configuration

Code Block
languagebash
# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true
ldap.
group.memberAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Attribute in LDAP holding the group's member.uniqueMemberNomember
url=ldap://myserver.mycompany.com
 
# User Configuration
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

# Group Configuration
ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

Advanced Configuration

Include Page
Include - Technical Users
Include - Technical Users

Mutliple Servers

Available since version 1.3.

To configure multiple servers:

Code Block
languagebash
# List the different servers
ldap.servers=server1,server2
 
# Configure server1
ldap.server1.url=ldap://server1:1389
ldap.server1.user.baseDn=dc=dept1,dc=com
...

# Configure server2
ldap.sever2.url=ldap://server2:1389
ldap.sever2.user.baseDn=dc=dept2,dc=com
...

Authentication will be tried on each server, in the order they are listed in the configurations, until one succeeds. User/Group mapping will be performed against the first server on which the user is found.

Note that all the LDAP servers must be available while (re)starting the SonarQube server.

Anchor
Auto-discovery
Auto-discovery
Auto-discovery

Here is description of how auto-discovery works:

  1. Determine DNS Domain Name:
    • from "From ldap.realm" property, if set.
    • from From FQDN of machine, where Sonar SonarQube is installed (eg. if FQDN is "sonar.example.org", then the DNS Domain Name will be "example.org").
  2. Determine URL of LDAP server:
    • from "From ldap.url" property, if set.
    • from From DNS server ( see known limitations ), here is example of Auto-discovery takes into account only one SRV record). Here is an example of the SRV Record for domain "example.org":

      No Format
      _ldap._tcp.example.org. 72784   IN      SRV     0 5 389 ldap.example.org.

      for this domain, the URL of the LDAP server will be "ldap://ldap.example.org:389".

  3. Determining BaseDN:
    • from From "ldap.baseDn" property, if set.
    • from From DNS Domain Name (eg. if the DNS Domain Name is "example.org", then the BaseDN will be "dc=example,dc=org").

Anchor
Authentication-methods
Authentication-methods
Authentication Methods

  • Simple
    Simple authentication is not recommended for production deployments not using the ldaps secure ldaps protocol as since it sends a cleartext password over the network.
  • Anonymous
    Used when only needs read-only access to non-protected entries and attributes is needed when binding to the LDAP server.
  • CRAM-MD5
    The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195).
  • DIGEST-MD5
    This is an improvement on the CRAM-MD5 authentication method (RFC 2831).
  • GSSAPI
    GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

Known Limitations

Auto-discovery takes into account only one SRV record.

Troubleshooting

...

Troubleshooting

For versions prior to SonarQube 4.1, you can enable debug logging by adding the following to conf/logback.xml:

Code Block
titleconf/logback.xml
<logger name="org.sonar.plugins.ldap">
  <level value="DEBUG"/>
  <appender-ref ref="CONSOLE"/>
  <appender-ref ref="SONAR_FILE"/>
</logger>

...

Perform the following replacements:

 Replaced by
sonar.authenticator.calss: org.sonar.plugins.ldap.LdapAuthenticatorsonar.security.realm: LDAP
ldap.baseDnldap.user.baseDn
ldap.userObjectClassldap.user.objectClass
ldap.loginAttributeldap.user.loginAttribute

Configure Group Mapping : at least by specifing new mandatory property - "ldap.group.baseDn".

Changelog

JIRA Issues
anonymoustrue
titleRelease 1.2
height50
renderModestatic
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18454&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleRelease 1.1.1
height50
renderModestatic
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18429&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleRelease 1.1
height100
renderModestatic
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18403&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleRelease 1.0
height70
renderModestatic
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=16915&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleRelease 0.1
height250
renderModestatic
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=16049&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000