{iframe:src=http://update.sonarsource.org/plugins/ldap.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}

Compatibility Matrix

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)

 

Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)

 

(tick)

DIGEST-MD5

(tick)

 

(tick)

(tick)

CRAM-MD5

(tick)

 

(tick)

(tick)

GSSAPI

(tick)

 

 

 

(tick) - means that it has been successfully tested

Description

This is the documentation for plugin version 1.1 and greater. Documentation for version prior to 1.1 is located on separate page. Instructions for migration can be found here.

The Sonar LDAP Plugin enables the delegation of Sonar authentication and authorization to an external system. The plugin currently supports LDAP and Microsoft Active Directory.

The main features of the plugin are:

By default there is no need to firstly create a user account in the Sonar DB to allow a user to log into Sonar. During the first authentication trial, if the password is correct, the Sonar DB is automatically populated with the new Sonar user. Moreover, each time a user logs into Sonar, the username, the email and the groups this user belongs to are automatically refreshed in the Sonar DB.

About the delegation of authorization, there is only one pre-requisite: the relationships between users and groups are only synchronized with groups which are already defined in Sonar. So groups and related permissions must be first defined in Sonar.

Usage & Installation

  1. Install the LDAP plugin through the Update Center or download it into the SONAR_HOME/extensions/plugins directory
  2. Restart the Sonar server
  3. Make sure that at least one user with global administration role exists in Sonar as well as in the external system

  4. Configure the LDAP plugin by editing the conf/sonar.properties file (see below)

  5. Restart the Sonar server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP
    ...

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  6. Log into Sonar

General Configuration

PropertyDescriptionDefault valueMandatoryExample
sonar.security.realm

This property must be defined to ask the Sonar server to use first the LDAP plugin when trying to authenticate a user. (available since Sonar 2.14)

 

Yes

LDAP (no other value can be used)
sonar.security.savePasswordThis optional property can be used to ask Sonar to save the user password in the Sonar DB. When this property is activated, a user can log into Sonar even when the LDAP server is not available. (available since Sonar 2.14)falseNo 
sonar.authenticator.createUsersBy default, the Sonar DB is automatically populated when a new Sonar user logs into Sonar. Setting this value to false, make it mandatory for a Sonar administrator to first declare a user in the Sonar DB before allowing this user to log into Sonar.trueNo 
ldap.urlURL of the LDAP server. Note that if you are using ldaps, then you should install server certificate into java truststore. Yes (Not mandatory in case of Auto-discovery)ldap://localhost:10389
ldap.bindDnBind DN is the username of an LDAP user to connect (or bind) with. Leave blank for anonymous access to the LDAP directory. Nocn=sonar,ou=users,o=mycompany
ldap.bindPasswordBind Password is the password of the user to connect with. Leave blank for anonymous access to the LDAP directory. Nosecret
ldap.authenticationPossible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. See  http://java.sun.com/products/jndi/tutorial/ldap/security/auth.htmlsimpleNosee description
ldap.realm
See http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html
 Noexample.org
ldap.contextFactoryClass(advanced option) Context factory class.com.sun.jndi.ldap.LdapCtxFactoryNo 

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users. Yes (Not mandatory in case of Auto-discovery)cn=users,dc=example,dc=org
ldap.user.request(available since plugin version 1.2)
(&(objectClass=inetOrgPerson)(uid={login}))
No
(&(objectClass=user)(sAMAccountName={login}))
ldap.user.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Object class of LDAP users.inetOrgPersonNouser
ldap.user.loginAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.user.request'. Attribute in LDAP holding the user’s login.uidNosAMAccountName
ldap.user.realNameAttributeAttribute in LDAP holding the user’s real name.cnNo 
ldap.user.emailAttributeAttribute in LDAP holding the user’s email.mailNo 

Group Mapping

The following properties should be defined to allow Sonar to automatically synchronized the relationships between users and groups.

There are two limitations:

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups. 

Yes in version 1.1.1

No in version 1.2, if you want to disable synchronization of groups.

cn=groups,dc=example,dc=org
ldap.group.request(available since plugin version 1.2)
(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
No
(&(objectClass=group)(member={dn}))
ldap.group.objectClassDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Object class of LDAP groups.groupOfUniqueNamesNogroup
ldap.group.idAttributeAttribute in LDAP holding the group's id.cnNo 
ldap.group.memberAttributeDeprecated in plugin version 1.2 and replaced by 'ldap.group.request'. Attribute in LDAP holding the group's member.uniqueMemberNomember

Example of LDAP Configuration

# LDAP configuration
sonar.security.realm=LDAP
sonar.security.savePassword=true

ldap.url=ldap://myserver.mycompany.com
 
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.objectClass=inetOrgPerson
ldap.user.loginAttribute=uid
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail


ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

Auto-discovery

Here is description of how auto-discovery works:

  1. Determine DNS Domain Name:
  2. Determine URL of LDAP server:
  3. Determining BaseDN:

Authentication Methods

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

Known Limitations

Auto-discovery takes into account only one SRV record.

Troubleshooting

You can enable debug logging by adding the following to conf/logback.xml:

<logger name="org.sonar.plugins.ldap">
  <level value="DEBUG"/>
  <appender-ref ref="CONSOLE"/>
  <appender-ref ref="SONAR_FILE"/>
</logger>

Migration from plugin version 1.0 to version 1.1.1

Perform the following replacements:

 Replaced by
sonar.authenticator.calss: org.sonar.plugins.ldap.LdapAuthenticatorsonar.security.realm: LDAP
ldap.baseDnldap.user.baseDn
ldap.userObjectClassldap.user.objectClass
ldap.loginAttributeldap.user.loginAttribute

Configure Group Mapping: at least by specifing new mandatory property - "ldap.group.baseDn".

Change Log