This plugin enables the delegation of SonarQube authentication to underlying PAM subsystem. The plugin works on *nix box boxes with the Pluggable Authentication Module (PAM).
Only password-checking is done against PAM. Authorization (access control) is still fully managed in SonarQube. A SonarQube account must be created first for each new user wishing to use SonarQube. The System administrator should also assign the user to the desired groups in order to grant him necessary rights. If one exists, the password in the SonarQube account will be ignored as because the external system password will override it.
OS and Architecture
Mac OS X PPC
Windows all flavours
- Install jpam
- Install SonarQube PAM plugin
Place the jar plugin into the through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory directory
- Make sure that at least one user with global administration role exists in SonarQube as well as in the external system
Update the SONARQUBE_HOME/conf/sonar.properties file by adding the following lines:
Code Block borderStyle dashed title sonar.properties
sonar.security.realm: PAM pam.serviceName=system-auth # Automatically create users. # When set to true, user will be created after successful authentication, if doesn't exists. # The default group affected to new users can be defined online, in SonarQube general settings. The default value is "sonar-users". # Default is false. # sonar.authenticator.createUsers: true
Restart SonarQube and check logs for:
Code Block borderStyle dashed
2012.11.24 20:32:34 INFO org.sonar.INFO Security realm: PAM 2012.11.24 20:32:34 INFO org.sonar.INFO Security realm started
- Log in to SonarQube
Crash using PAM winbind authentication (pam_winbind.so)
In case of an unsucessful login for wrong a bad password /or a locked out account (wrong a bad username does not produce the same issue) you may get this kind of error while using pam winbind authentication:
In this case SonarQube crashes and restarts automatically.
As far as I understand it's It appears to be a pam_winbind.so issue. I've found this workaroundThis workaround is available:
- Edit /etc/security/pam_winbind.conf:
Set Kerberos authentication:
Code Block borderStyle dashed title /etc/security/pam_winbind.conf
# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # [global] # turn on debugging #debug = yes # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes # authenticate using kerberos krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) ;krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) ;require_membership_of =