Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
iconfalse
titleTable of Contents

Table of Contents

Note

This is the documentation for plugin version 1.1 and greater. Documentation for version prior to 1.1 is located on separate page. Instructions for migration can be found here.

Compatibility Matrix

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it has been successfully tested

Description

...

This

...

plugin

...

This plugin enables the delegation of SonarQube authentication and authorization to an external system. The plugin currently supports LDAP and Microsoft Active Directory.

...

Anchor
Configuration
Configuration
General Configuration

PropertyDescriptionDefault valueMandatoryExample
sonar.security.realm

This property must be defined to ask the SonarQube server to use first the LDAP plugin when trying to authenticate a user. (available since SonarQube 2.14)

 

Yes

LDAP (no other value can be used)
sonar.security.savePasswordThis optional property can be used to ask SonarQubeto save the user password in the SonarQubeDB. When this property is activated, a user can log into SonarQube even when the LDAP server is not available. (available since SonarQube 2.14)falseNo 
sonar.authenticator.createUsersBy default, the SonarQubeDB is automatically populated when a new SonarQube user logs into SonarQube. Setting this value to false, make it mandatory for a System administrator to first declare a user in the SonarQubeDB before allowing this user to log into SonarQube.trueNo 
sonar.authenticator.updateUserAttributesIf set to 'true', at each login, user's attributes (name, email, etc.) are re-synchronized. If set to 'false', user's attributes are not re-synchronized except when creating the user for the first time (sonar.authenticator.createUsers=true).
Available since SonarQube 3.6.
trueNo 
ldap.urlURL of the LDAP server. Note that if you are using ldaps, then you should install server certificate into java truststore. Yes (Not mandatory in case of Auto-discovery)ldap://localhost:10389
ldap.bindDnBind DN is the username of an LDAP user to connect (or bind) with. Leave blank for anonymous access to the LDAP directory. Nocn=sonar,ou=users,o=mycompany
ldap.bindPasswordBind Password is the password of the user to connect with. Leave blank for anonymous access to the LDAP directory. Nosecret
ldap.authenticationPossible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. See  http://java.sun.com/products/jndi/tutorial/ldap/security/auth.htmlsimpleNosee description
ldap.realm Noexample.org
ldap.contextFactoryClass(advanced option) Context factory class.com.sun.jndi.ldap.LdapCtxFactoryNo 

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users. Yes (Not mandatory in case of Auto-discovery)cn=users,dc=example,dc=org
ldap.user.request(available since plugin version 1.2)
No Format
(&(objectClass=inetOrgPerson)(uid={login}))
No
No Format
(&(objectClass=user)(sAMAccountName={login}))
ldap.user.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Object class of LDAP users.inetOrgPersonNouser
ldap.user.loginAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Attribute in LDAP holding the user’s login.uidNosAMAccountName
ldap.user.realNameAttributeAttribute in LDAP holding the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP holding the user’s email.mailNo 

Group Mapping

The following properties should be defined to allow SonarQube to automatically synchronized the relationships between users and groups.

There are two limitations:

  • Groups must be static and not dynamic
  • The user entry must contain the attribute 'memberOf' with list of groups
PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups. 

Yes in version 1.1.1

No in version 1.2, if you want to disable synchronization of groups.

cn=groups,dc=example,dc=org
ldap.group.request(available since plugin version 1.2)
No Format
(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
No
No Format
(&(objectClass=group)(member={dn}))
ldap.group.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Object class of LDAP groups.groupOfUniqueNamesNogroup
ldap.group.idAttributeAttribute in LDAP holding the group's id.cnNo 
ldap.group.memberAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Attribute in LDAP holding the group's member.uniqueMemberNomember

Example of LDAP Configuration

Code Block
languagenone
# LDAP configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true

ldap.url=ldap://myserver.mycompany.com
 
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.objectClass=inetOrgPerson
ldap.user.loginAttribute=uid
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail


ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

Anchor
Auto-discovery
Auto-discovery
Auto-discovery

...