Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 63 Next »

Compatibility matrix

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it was tested

Description

The Sonar LDAP Plugin enables the delegation of Sonar authentication to an external system. The plugin currently supports LDAP and Microsoft Active Directory.

Only password-checking is done against the external system. Authorization (access control) is still fully managed in Sonar. That’s why LDAP or Active Directory users do not automatically have access to Sonar. A Sonar account must be created first for each new user wishing to use Sonar. The Sonar administrator should also assign the user to the desired groups in order to grant him necessary rights. If exists, the password in the Sonar account will be ignored as the external system password will override it.

Usage & Installation

  1. Download the plugin from Update Center and restart server. If you don't have access to Internet, then manually download JAR file into $SONAR_HOME/extensions/plugins and restart server.
  2. Make sure that at least one user with global administration role exists in Sonar as well as in the external system
  3. Configure conf/sonar.properties (see below)

  4. Restart the Sonar server and check the log file for:

    INFO org.sonar.INFO Authentication plugin: class com.teklabs.sonar.plugins.ldap.LdapAuthenticator
    INFO org.sonar.INFO Authentication plugin started
    
  5. Log in to Sonar

General Configuration

PropertyDescriptionDefault valueExample
sonar.security.realm(available since Sonar 2.14)falseLDAP
sonar.security.savePassword(available since Sonar 2.14)false 
sonar.authenticator.ignoreStartupFailure false 
sonar.authenticator.createUsersAutomatically create users (available since Sonar 2.0).true 
sonar.authenticator.downcase false 
ldap.urlURL of the LDAP server. Omit for autodiscovery (see below). Note that if you are using ldaps, then you should install server certificate into java truststore. ldap://localhost:10389
ldap.bindDn(optional) Bind DN is the username of an LDAP user to connect (or bind) with. Leave blank for anonymous access to the LDAP directory. cn=sonar,ou=users,o=mycompany
ldap.bindPassword(optional) Bind Password is the password of the user to connect with. Leave blank for anonymous access to the LDAP directory. secret
ldap.authentication(advanced option) Possible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. See  http://java.sun.com/products/jndi/tutorial/ldap/security/auth.htmlsimple 
ldap.realm(advanced option) example.org
ldap.contextFactoryClass(advanced option) Context factory class.com.sun.jndi.ldap.LdapCtxFactory 

User Mapping

PropertyDescriptionDefault valueExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users. cn=users,dc=example,dc=org
ldap.user.objectClassObject class of LDAP users.inetOrgPersonuser
ldap.user.loginAttributeAttribute in LDAP holding the user’s login.uidsAMAccountName
  userpassword 
ldap.user.realNameAttributeAttribute in LDAP holding the user’s real name.cncn
ldap.user.emailAttributeAttribute in LDAP holding the user’s email.mailmail

Group Mapping

Supported only static type of groups - when group contains list of users, but not dynamic - when user entry contains attribute ( memberOf ) with list of groups.

PropertyDescriptionDefault valueExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups. cn=groups,dc=example,dc=org
ldap.group.objectClassObject class of LDAP groups.groupOfUniqueNamesgroup
ldap.group.idAttributeAttribute in LDAP holding the group's id.cncn
ldap.group.memberAttributeAttribute in LDAP holding the group's member.uniqueMembermember

Auto-discovery

Here is description of how auto-discovery works:

  1. Determining DNS Domain Name:
    • from "ldap.realm" property if set
    • from FQDN of machine, where Sonar installed (eg. if FQDN is "sonar.example.org", then DNS Domain Name will be "example.org")
  2. Determining URL of LDAP server:
    • from "ldap.url" property if set
    • from DNS server ( see known limitations ), here is example of SRV Record for domain "example.org":

      _ldap._tcp.example.org. 72784   IN      SRV     0 5 389 ldap.example.org.

      for this domain URL of LDAP server will be "ldap://ldap.example.org:389"

  3. Determining BaseDN:
    • from "ldap.baseDn" property if set
    • from DNS Domain Name (eg. if DNS Domain Name is "example.org", then BaseDN will be "dc=example,dc=org")

Authentication Methods

  • Simple
    Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a cleartext password over the network.
  • Anonymous
    Used when only needs read-only access to non-protected entries and attributes when binding to the LDAP server.
  • CRAM-MD5
    The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195).
  • DIGEST-MD5
    This is an improvement on the CRAM-MD5 authentication method (RFC 2831).
  • GSSAPI
    GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

Known limitations

Auto-discovery takes into account only one SRV record.

Troubleshooting

You can enable debug logging by adding the following to conf/logback.xml:

conf/logback.xml

Changelog

Loading

Release 1.1 (${entries.size()} issues)

Type Key Summary Priority Status Resolution

Loading

Release 1.0 (1 issues)

Type Key Summary Priority Status Resolution
Task SONARPLUGINS-764 Use sonar-plugin packaging Major Closed Fixed

Loading

Release 0.1 (8 issues)

  • No labels