Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 130 Next »

Description / Features

This plugin allows the delegation of SonarQube authentication and authorization to LDAP and/or Microsoft Active Directory.

The main features are:

  • Password checking against the external authentication engine.
  • Automatic synchronization of usernames and emails.
  • Automatic synchronization of relationships between users and groups (authorization).
  • Ability to authenticate against both the external or internal authentication systems (for instance, technical SonarQube user accounts do not need to be defined in LDAP).

During the first authentication trial, if the password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are already defined in SonarQube are automatically refreshed in the SonarQube database. For the delegation of authorization, groups and related permissions must be first defined in SonarQube.



Apache DS



Active Directory































(tick) - means that it has been successfully tested


  1. Install the plugin through the Update Center or download it into the SONARQUBE_HOME/extensions/plugins directory
  2. Restart the SonarQube server


  1. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/ file (see table below)

  2. Restart the SonarQube server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  3. Log into SonarQube

General Configuration

PropertyDescriptionDefault valueMandatoryExample

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.



LDAP (only possible value)
To save the user password in the SonarQube database. Then, users will be able to log into SonarQube even when the LDAP server is not reachable.

By default, the SonarQube database is automatically populated when a new user logs into SonarQube. Setting this value to false, makes it mandatory for a System administrator to first declare a user through the SonarQube web interface before allowing this user to log into SonarQube.


If set to true, at each login, user's attributes (name and email) are re-synchronized. If set to false, user's attributes are not re-synchronized.

Note that if set to false, user's attributes are synchronized just once, at the very first login.

Available since SonarQube 3.6.

sonar.authenticator.downcaseSet to true when connecting to a LDAP server using a case-insensitive setup.falseNo 
URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.None


(Not mandatory in case of Auto-discovery)

Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory.NoneNocn=sonar,ou=users,o=mycompany
Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory.NoneNosecret
Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI
Context factory 

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users.None


(Not mandatory in case of Auto-discovery)


LDAP user request.

Available since version 1.2.

ldap.user.realNameAttributeAttribute in LDAP defining the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP defining the user’s email.mailNo 

Group Mapping

The following properties should be defined to allow SonarQube to automatically synchronize the relationships between users and groups.

Only groups are supported (not roles).

Only static groups are supported (not dynamic groups).

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server Name (DN) of the root node in LDAP from which to search for groups.NoneNocn=groups,dc=example,dc=org

LDAP group request.

Available since version 1.2.

(&(objectClass=group)(member={dn})) in LDAP defining the group's id.cnNo 

Example of LDAP Configuration

Advanced Configuration

Mutliple Servers

Available since version 1.3.

To configure multiple servers:

Authentication will be tried on each server, in the order they are listed in the configurations, until one succeeds. User/Group mapping will be performed against the first server on which the user is found.

Note that all the LDAP servers must be available while (re)starting the SonarQube server.


Here is how auto-discovery works:

  1. Determine DNS Domain Name:
    • From ldap.realm property, if set.
    • From FQDN of machine, where SonarQube is installed (eg. if FQDN is, then the DNS Domain Name will be
  2. Determine URL of LDAP server:
    • From ldap.url property, if set.
    • From DNS server (Auto-discovery takes into account only one SRV record). Here is an example of the SRV Record for domain 72784   IN      SRV     0 5 389

      for this domain, the URL of the LDAP server will be ldap://

  3. Determining BaseDN:
    • From "ldap.baseDn" property, if set.
    • From DNS Domain Name (eg. if the DNS Domain Name is, then the BaseDN will be dc=example,dc=org).

Authentication Methods

  • Simple
    Simple authentication is not recommended for production deployments not using the ldaps secure protocol since it sends a cleartext password over the network.
  • Anonymous
    Used when only read-only access to non-protected entries and attributes is needed when binding to the LDAP server.
  • CRAM-MD5
    The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm (RFC 2195).
    This is an improvement on the CRAM-MD5 authentication method (RFC 2831).
    GSS-API is Generic Security Service API (RFC 2744). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.


You can enable debug logging by adding the following to SONARQUBE_HOME/conf/logback.xml:


Change Log


Version 1.3 (1 issues)



Version 1.2.1 (1 issues)



Version 1.2 (4 issues)

  • No labels