Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 102 Next »

Table of Contents

Compatibility Matrix


Apache DS



Active Directory































(tick) - means that it has been successfully tested



This is the documentation for plugin version 1.1 and greater. Documentation for version prior to 1.1 is located on separate page. Instructions for migration can be found here.

This plugin enables the delegation of SonarQubeTM authentication and authorization to an external system. The plugin currently supports LDAP and Microsoft Active Directory.

The main features of the plugin are:

  • Password checking against the external authentication engine
  • Automatic synchronization of usernames and emails
  • Automatic synchronization of the relationships between users and groups (authorization)
  • Ability to authenticate the user both against the external or internal authentication systems (technical SonarQubeTM user accounts have no need for instance to be defined in the LDAP server)

By default there is no need to firstly create a user account in the SonarQubeTM DB to allow a user to log into SonarQubeTM. During the first authentication trial, if the password is correct, the SonarQubeTM DB is automatically populated with the new SonarQubeTM user. Moreover, each time a user logs into SonarQubeTM, the username, the email and the groups this user belongs to are automatically refreshed in the SonarQubeTM DB.

About the delegation of authorization, there is only one pre-requisite: the relationships between users and groups are only synchronized with groups which are already defined in SonarQubeTM. So groups and related permissions must be first defined in SonarQubeTM.


  1. Install the plugin through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory
  2. Restart the SonarQubeTM server


  1. Make sure that at least one user with System administration role exists in SonarQubeTM as well as in the external system
  2. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/ file (see below)

  3. Restart the SonarQubeTM server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  4. Log into SonarQubeT

General Configuration

PropertyDescriptionDefault valueMandatoryExample

This property must be defined to ask the SonarQubeTM server to use first the LDAP plugin when trying to authenticate a user. (available since SonarQubeTM 2.14)



LDAP (no other value can be used) optional property can be used to ask SonarQubeTM to save the user password in the SonarQubeTM DB. When this property is activated, a user can log into SonarQubeTM even when the LDAP server is not available. (available since SonarQubeTM 2.14)falseNo 
sonar.authenticator.createUsersBy default, the SonarQubeTM DB is automatically populated when a new SonarQubeTM user logs into SonarQubeTM. Setting this value to false, make it mandatory for a System administrator to first declare a user in the SonarQubeTM DB before allowing this user to log into SonarQubeTM.trueNo 
sonar.authenticator.updateUserAttributesIf set to 'true', at each login, user's attributes (name, email, etc.) are re-synchronized. If set to 'false', user's attributes are not re-synchronized except when creating the user for the first time (sonar.authenticator.createUsers=true).
Available since SonarQubeTM 3.6.
ldap.urlURL of the LDAP server. Note that if you are using ldaps, then you should install server certificate into java truststore. Yes (Not mandatory in case of Auto-discovery)ldap://localhost:10389
ldap.bindDnBind DN is the username of an LDAP user to connect (or bind) with. Leave blank for anonymous access to the LDAP directory. Nocn=sonar,ou=users,o=mycompany
ldap.bindPasswordBind Password is the password of the user to connect with. Leave blank for anonymous access to the LDAP directory. Nosecret
ldap.authenticationPossible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. See description
ldap.contextFactoryClass(advanced option) Context factory 

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users. Yes (Not mandatory in case of Auto-discovery)cn=users,dc=example,dc=org
ldap.user.request(available since plugin version 1.2)
ldap.user.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Object class of LDAP users.inetOrgPersonNouser
ldap.user.loginAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Attribute in LDAP holding the user’s login.uidNosAMAccountName
ldap.user.realNameAttributeAttribute in LDAP holding the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP holding the user’s email.mailNo 

Group Mapping

The following properties should be defined to allow SonarQubeTM to automatically synchronized the relationships between users and groups.

There are two limitations:

  • Groups must be static and not dynamic
  • The user entry must contain the attribute 'memberOf' with list of groups
PropertyDescriptionDefault valueMandatoryExample for Active Directory Server Name (DN) of the root node in LDAP from which to search for groups. 

Yes in version 1.1.1

No in version 1.2, if you want to disable synchronization of groups.

cn=groups,dc=example,dc=org since plugin version 1.2)
(&(objectClass=group)(member={dn})) in plugin version 1.2 and replaced by ''. Object class of LDAP groups.groupOfUniqueNamesNogroup in LDAP holding the group's id.cnNo in plugin version 1.2 and replaced by ''. Attribute in LDAP holding the group's member.uniqueMemberNomember

Example of LDAP Configuration


Here is description of how auto-discovery works:

  1. Determine DNS Domain Name:
    • from "ldap.realm" property if set
    • from FQDN of machine, where SonarQubeTM is installed (eg. if FQDN is "", then DNS Domain Name will be "")
  2. Determine URL of LDAP server:
    • from "ldap.url" property if set
    • from DNS server ( see known limitations ), here is example of SRV Record for domain "": 72784   IN      SRV     0 5 389

      for this domain URL of LDAP server will be "ldap://"

  3. Determining BaseDN:
    • from "ldap.baseDn" property if set
    • from DNS Domain Name (eg. if DNS Domain Name is "", then BaseDN will be "dc=example,dc=org")

Authentication Methods

  • Simple
    Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a cleartext password over the network.
  • Anonymous
    Used when only needs read-only access to non-protected entries and attributes when binding to the LDAP server.
  • CRAM-MD5
    The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195).
    This is an improvement on the CRAM-MD5 authentication method (RFC 2831).
    GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

Known Limitations

Auto-discovery takes into account only one SRV record.


You can enable debug logging by adding the following to conf/logback.xml:


Migration from plugin version 1.0 to version 1.1.1

Perform the following replacements:

 Replaced by
sonar.authenticator.class: LDAP

Configure Group Mapping: at least by specifing new mandatory property - "".

Change Log


Release 1.2.1 (1 issues)



Release 1.2 (4 issues)



Release 1.1.1 (1 issues)



Release 1.1 (2 issues)



Release 1.0 (1 issues)



Release 0.1 (8 issues)

  • No labels