Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{iframe:src=http://update.sonarsource.org/plugins/pam.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}

Description / Features

The Sonar PAM Plugin This plugin enables the delegation of Sonar authentication SonarQube authentication to underlying PAM subsystem. The plugin works on *nix box boxes with the Pluggable Authentication Module (PAM).

Only password-checking is done against PAM. Authorization (access control) is still fully managed in Sonar. A Sonar account must be created first for each new user wishing to use Sonar. The Sonar administrator should also SonarQube. During the first authentication trial, if the password is correct, the SonarQube database is automatically populated with the new user.  The System administrator should assign the user to the desired groups in order to grant him necessary rights. If a password exists , the password in the Sonar account SonarQube database, it will be ignored as because the external system password will override it.

...

Requirements

OS and Architecture

Works

Linux AMD64

(tick)

Linux i386

(tick)

Mac OS X PPC

(warning)

Solaris sparc

(warning)

Windows all flavours

(minus)

(tick) Works, tested
(warning) Should work, not tested
(minus)  Does not work

Usage & Installation

  1. Install jpam
    1. Download jpam for your system from here
    2. Alternatively:
      1. Copy the jpam's native library following these directions
      2. Copy the jpam's native libray in sonar/bin/<your arch>/lib
  2. Install Sonar PAM plugin Place the jar plugin into the through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory directory
  3. Make sure that at least one user with global administration role exists in Sonar SonarQube as well as in the external system
  4. Configure

    Update the SONARQUBE_HOME/conf/sonar.properties file by adding

    and editing

    the following lines:

    Code Block
    borderStyledashed
    titlesonar.properties
    #---------------------- # Sonar PAM Auth Plugin #---------------------- sonar.authenticator.class: org.sonar.plugins.pam.PamAuthenticator
    sonar.security.realm: PAM
    pam.serviceName=system-auth
    
    # Automatically create users
    (available since Sonar 2
    .
    0).
    
    # When set to true, user will be created after successful authentication, if doesn't exists.
    # The default group affected to new users can be defined online, in 
    Sonar
    SonarQube general settings. The default value is "sonar-users".
    # Default is false.
    
    #
    sonar.authenticator.createUsers: true
    
  5. Restart

    Sonar

    SonarQube and check logs for:

    Code Block
    borderStyledashed
    2012.11.24 20:32:34 INFO  org.sonar.INFO Authentication pluginSecurity realm: classPAM
    org2012.sonar.plugins.pam.PamAuthenticator
    INFO 11.24 20:32:34 INFO  org.sonar.INFO Authentication pluginSecurity realm started
    
  6. Log in to Sonar

...

  1. SonarQube

Include Page
Include - Technical Users
Include - Technical Users

Known Issues

Crash using PAM winbind authentication (pam_winbind.so)

In case of an unsucessful login for wrong a bad password /or a locked out account (wrong a bad username does not produce the same issue) you may get this kind of error while using pam winbind authentication:

Code Block
borderStyledashed
titlepam_winbind.so error
INFO   | jvm 1    | 2011/03/18 10:06:10 | *** glibc detected *** java: free(): invalid pointer: 0x00002aaadc000168 ***
INFO   | jvm 1    | 2011/03/18 10:06:10 | ======= Backtrace: =========
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libc.so.6[0x3b9527245f]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libc.so.6(cfree+0x4b)[0x3b952728bb]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so[0x2aaadaddc8f9]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so[0x2aaadaddee4c]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/security/pam_winbind.so(pam_sm_authenticate+0x304)[0x2aaadaddf9e4]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libpam.so.0(_pam_dispatch+0x277)[0x3b97e02dc7]
INFO   | jvm 1    | 2011/03/18 10:06:10 | /lib64/libpam.so.0(pam_authenticate+0x42)[0x3b97e026d2]

In this case Sonar SonarQube crashes and restart restarts automatically.

As far as I understand it's It appears to be a pam_winbind.so issue. I've found this workaroundThis workaround is available:

  1. Edit /etc/security/pam_winbind.conf:
  2. Set Kerberos authentication:

    Code Block
    borderStyledashed
    title/etc/security/pam_winbind.conf
    #
    # pam_winbind configuration file
    #
    # /etc/security/pam_winbind.conf
    #
    
    [global]
    
    # turn on debugging
    #debug = yes
    
    # request a cached login if possible
    # (needs "winbind offline logon = yes" in smb.conf)
    cached_login = yes
    
    # authenticate using kerberos
    krb5_auth = yes
    
    # when using kerberos, request a "FILE" krb5 credential cache type
    # (leave empty to just do krb5 authentication but not have a ticket
    # afterwards)
    ;krb5_ccache_type = FILE
    
    # make successful authentication dependend on membership of one SID
    # (can also take a name)
    ;require_membership_of =
    

Known limitations

Troubleshooting

ChangeLog

JIRA Issues
anonymoustrue
titleRelease 1.0
height70
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=17263&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000