Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{iframe:src=http://updateredirect.sonarsource.orgcom/plugins/ldap.html|width=700|height=250300|frameborder=0}
YourDocumentation browserhas doesbeen notmoved support iframes.
{iframe}

Description

This plugin enables the delegation of SonarQube authentication and authorization to one or multiple external systems. The plugin currently supports LDAP and Microsoft Active Directory.

The main features of the plugin are:

  • Password checking against the external authentication engine
  • Automatic synchronization of usernames and emails
  • Automatic synchronization of relationships between users and groups (authorization)
  • Ability to authenticate against both the external or internal authentication systems (technical SonarQube user accounts have no need for instance to be defined in LDAP)

During the first authentication trial, if the password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to are automatically refreshed in the SonarQube database.

About the delegation of authorization, there is only one pre-requisite: the relationships between users and groups are only synchronized with groups which are already defined in SonarQube. So groups and related permissions must be first defined in SonarQube.

Compatibility Matrix

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it has been successfully tested

Installation

  1. Install the plugin through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory
  2. Restart the SonarQube server

Usage

  1. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/sonar.properties file (see below)

  2. Restart the SonarQube server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP
    ...

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  3. Log into SonarQube

...

sonar.security.realm

...

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.

...

Yes

...

sonar.security.savePassword

...

false

...

sonar.authenticator.createUsers

...

By default, the SonarQube database is automatically populated when a new user logs into SonarQube. Setting this value to false, makes it mandatory for a System administrator to first declare a user through the SonarQube web interface before allowing this user to log into SonarQube.

...

true

...

sonar.security.updateUserAttributes

...

If set to true, at each login, user's attributes (name and email) are re-synchronized. If set to false, user's attributes are not re-synchronized.

Note that if set to false, user's attributes are synchronized just once, at the very first login.

Available since SonarQube 3.6.

...

true

...

ldap.url

...

Yes

(Not mandatory in case of Auto-discovery)

...

ldap.bindDn

...

ldap.bindPassword

...

ldap.authentication

...

ldap.realm

...

ldap.contextFactoryClass

...

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users.None

Yes

(Not mandatory in case of Auto-discovery)

cn=users,dc=example,dc=org
ldap.user.request

LDAP user request.

Available since version 1.2.

(&(objectClass=inetOrgPerson)(uid={login}))
No
(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttributeAttribute in LDAP defining the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP defining the user’s email.mailNo 

Group Mapping

The following properties should be defined to allow SonarQube to automatically synchronized the relationships between users and groups.

There are two limitations:

  • Groups must be static and not dynamic
  • The user entry must contain the attribute memberOf with list of groups
PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups.NoneNocn=groups,dc=example,dc=org
ldap.group.request

LDAP group request.

Available since version 1.2.

(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
No
(&(objectClass=group)(member={dn}))
ldap.group.idAttributeAttribute in LDAP defining the group's id.cnNo 

Example of LDAP Configuration

Code Block
languagebash
# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true
ldap.url=ldap://myserver.mycompany.com
 
# User Configuration
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

# Group Configuration
ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

Advanced Configuration

Mutliple Servers

Available since version 1.3.

To configure multiple servers:

Code Block
languagebash
# List the different servers
ldap.servers=server1,server2
 
# Configure server1
ldap.server1.url=ldap://server1:1389
ldap.server1.user.baseDn=dc=dept1,dc=com
...

# Configure server2
ldap.sever2.url=ldap://server2:1389
ldap.sever2.user.baseDn=dc=dept2,dc=com
...
Authentication will be tried on each server until first success (declaration order of the servers matters).
User/Group mapping will be performed against the first server on which the user is found.

...

Here is description of how auto-discovery works:

  1. Determine DNS Domain Name:
    • From ldap.realm property, if set.
    • From FQDN of machine, where SonarQube is installed (eg. if FQDN is sonar.example.org, then DNS Domain Name will be example.org).
  2. Determine URL of LDAP server:
    • From ldap.url property, if set.
    • From DNS server (Auto-discovery takes into account only one SRV record). Here is example of SRV Record for domain example.org:

      No Format
      _ldap._tcp.example.org. 72784   IN      SRV     0 5 389 ldap.example.org.

      for this domain URL of LDAP server will be ldap://ldap.example.org:389.

  3. Determining BaseDN:
    • From "ldap.baseDn" property, if set.
    • From DNS Domain Name (eg. if DNS Domain Name is example.org, then BaseDN will be dc=example,dc=org).

...

  • Simple
    Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a cleartext password over the network.
  • Anonymous
    Used when only needs read-only access to non-protected entries and attributes when binding to the LDAP server.
  • CRAM-MD5
    The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195).
  • DIGEST-MD5
    This is an improvement on the CRAM-MD5 authentication method (RFC 2831).
  • GSSAPI
    GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

Troubleshooting

You can enable debug logging by adding the following to SONARQUBE_HOME/conf/logback.xml:

Code Block
titleconf/logback.xml
<logger name="org.sonar.plugins.ldap">
  <level value="DEBUG"/>
  <appender-ref ref="CONSOLE"/>
  <appender-ref ref="SONAR_FILE"/>
</logger>

Change Log

JIRA Issues
anonymoustrue
titleVersion 1.3
height50
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=19024&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleVersion 1.2.1
height50
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18856&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleVersion 1.2
height50
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18454&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

 

JIRA Issues
anonymoustrue
titleVersion 1.1.1
height50
renderModestatic
width900
columnstype;key;summary;priority
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=18429&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000

to [http://redirect.sonarsource.com/plugins/ldap.html].
{iframe}