...
| Note |
|---|
This is the documentation for plugin version 1.1 and greater. Documentation for version prior to 1.1 is located on separate page. Instructions for migration can be found here. |
The Sonar LDAP Plugin enables the delegation of Sonar authentication and authorization to an external system. The plugin currently supports LDAP and Microsoft Active Directory.
...
About the delegation of authorization, there is only one pre-requisite: the relationships between users and groups are only synchronized with groups which are already defined in the Sonar. So groups and related permissions must be first defined in Sonar.
Usage & Installation
- Download Install the LDAP plugin from the Update Center and restart the Sonar server. If you do not have access to the Internet, manually download the JAR file into $SONARthrough the Update Center or download it into the SONAR_HOME/extensions/plugins and restart directory
- Restart the Sonar server.
- Make sure that at least one user with global administration role exists in Sonar as well as in the external system
Configure the LDAP plugin by editing the conf/sonar.properties file (see below)
Restart the Sonar server and check the log file for:
INFO org.sonar.INFO Security realm: LDAP
...INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK
- Log into Sonar
| Anchor | ||
|---|---|---|
|
| Property | Description | Default value | Mandatory | Example |
|---|---|---|---|---|
| sonar.security.realm | This property must be defined to ask the Sonar server to use first the LDAP plugin when trying to authenticate a user. (available since Sonar 2.14) | Yes | LDAP (no other value can be used) | |
| sonar.security.savePassword | This optional property can be used to ask Sonar to save the user password in the Sonar DB. When this property is activated, a user can log into Sonar even when the LDAP server is not available. (available since Sonar 2.14) | false | No | |
| sonar.authenticator.createUsers | By default, the Sonar DB is automatically populated when a new Sonar user logs into Sonar. Setting this value to false, make it mandatory for a Sonar administrator to first declare a user in the Sonar DB before allowing this user to log into Sonar. | true | No | |
| ldap.url | URL of the LDAP server. Note that if you are using ldaps, then you should install server certificate into java truststore. | Yes (Not mandatory in case of Auto-discovery) | ldap://localhost:10389 | |
| ldap.bindDn | Bind DN is the username of an LDAP user to connect (or bind) with. Leave blank for anonymous access to the LDAP directory. | No | cn=sonar,ou=users,o=mycompany | |
| ldap.bindPassword | Bind Password is the password of the user to connect with. Leave blank for anonymous access to the LDAP directory. | No | secret | |
| ldap.authentication | Possible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html | simple | No | see description |
| ldap.realm | No | example.org | ||
| ldap.contextFactoryClass | (advanced option) Context factory class. | com.sun.jndi.ldap.LdapCtxFactory | No |
User Mapping
| Property | Description | Default value | Mandatory | Example for Active Directory Server | ||||
|---|---|---|---|---|---|---|---|---|
| ldap.user.baseDn | Distinguished Name (DN) of the root node in LDAP from which to search for users. | Yes (Not mandatory in case of Auto-discovery) | cn=users,dc=example,dc=org | |||||
| ldap.user.request | (available since plugin version 1.2) |
| No |
| ||||
| Deprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Object class of LDAP users. | inetOrgPerson | No | user | |||||
| Deprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Attribute in LDAP holding the user’s login. | uid | No | sAMAccountName | |||||
| ldap.user.realNameAttribute | Attribute in LDAP holding the user’s real name. | cn | No | |||||
| ldap.user.emailAttribute | Attribute in LDAP holding the user’s email. | No |
Group Mapping
The following properties should be defined to allow Sonar to automatically synchronized the relationships between users and groups.
There are two limitations:
- Groups must be static and not dynamic
- The user entry must contain the attribute 'memberOf' with list of groups
| Property | Description | Default value | Mandatory | Example for Active Directory Server | ||||
|---|---|---|---|---|---|---|---|---|
| ldap.group.baseDn | Distinguished Name (DN) of the root node in LDAP from which to search for groups. | Yes in version 1.1.1 No in version 1.2, if you want to disable synchronization of groups. | cn=groups,dc=example,dc=org | |||||
| ldap.group.request | (available since plugin version 1.2) |
| No |
| ||||
| Deprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Object class of LDAP groups. | groupOfUniqueNames | No | group | |||||
| ldap.group.idAttribute | Attribute in LDAP holding the group's id. | cn | No | |||||
| Deprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Attribute in LDAP holding the group's member. | uniqueMember | No | member |
Example of LDAP Configuration
| Code Block | ||
|---|---|---|
| ||
# LDAP configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true
ldap.url=ldap://myserver.mycompany.com
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.objectClass=inetOrgPerson
ldap.user.loginAttribute=uid
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid})) |
| Anchor | ||
|---|---|---|
|
...
- Determine DNS Domain Name:
- from "ldap.realm" property if set
- from FQDN of machine, where Sonar is installed (eg. if FQDN is "sonar.example.org", then DNS Domain Name will be "example.org")
- Determine URL of LDAP server:
- from "ldap.url" property if set
from DNS server ( see known limitations ), here is example of SRV Record for domain "example.org":
No Format _ldap._tcp.example.org. 72784 IN SRV 0 5 389 ldap.example.org.
for this domain URL of LDAP server will be "ldap://ldap.example.org:389"
- Determining BaseDN:
- from "ldap.baseDn" property if set
- from DNS Domain Name (eg. if DNS Domain Name is "example.org", then BaseDN will be "dc=example,dc=org")
...
Configure Group Mapping: at least by specifing new mandatory property - "ldap.group.baseDn".
...
Change Log
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
| JIRA Issues | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
