This plugin enables the delegation of SonarQube authentication to an external system. The plugin currently supports LDAP and Microsoft Active Directory.
Only password-checking is done against the external system. Authorization (access control) is still fully managed in SonarQube. That’s why LDAP or Active Directory users do not automatically have access to SonarQube. A SonarQube account must be created first for each new user wishing to use SonarQube. The SonarQube administrator should also assign the user to the desired groups in order to grant him necessary rights. If exists, the password in the SonarQubeaccount will be ignored as the external system password will override it.
Configure conf/sonar.properties by adding and editing the following:
# Activates the plugin. Leave blank or comment out to use default SonarQube authentication. sonar.authenticator.class: org.sonar.plugins.ldap.LdapAuthenticator # Ignore failure at startup if the connection to external system is refused. # Users can browse SonarQube but not log in as long as the connection fails. # When set to true, SonarQube will not start if connection to external system fails. # Default is false. #sonar.authenticator.ignoreStartupFailure: true # Automatically create users. # When set to true, user will be created after successful authentication, if doesn't exists. # The default group affected to new users can be defined online, in SonarQube general settings. The default value is "sonar-users". # Default is false. #sonar.authenticator.createUsers: true # (omit if you use autodiscovery) URL of the LDAP server. # If you are using ldaps, then you should install server certificate into java truststore. # eg. ldap://localhost:10389 ldap.url: # (optional) Distinguished Name (DN) of the root node in LDAP from which to search for users, # eg. “ou=users,o=mycompany” ldap.baseDn: # (optional) Bind DN is the username of an LDAP user to connect (or bind) with. # This is a Distinguished Name of a user who has administrative rights, # eg. “cn=sonar,ou=users,o=mycompany”. Leave blank for anonymous access to the LDAP directory. #ldap.bindDn: # (optional) Bind Password is the password of the user to connect with. # Leave blank for anonymous access to the LDAP directory. #ldap.bindPassword: # Login Attribute is the attribute in LDAP holding the user’s login. # Default is ‘uid’. Set ’sAMAccountName’ for Microsoft Active Directory #ldap.loginAttribute: sAMAccountName # Object class of LDAP users. # Default is 'inetOrgPerson'. Set ‘user’ for Microsoft Active Directory. #ldap.userObjectClass: user # (advanced option) See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html # Default is 'simple'. Possible values: 'simple', 'CRAM-MD5', 'DIGEST-MD5', 'GSSAPI'. #ldap.authentication: DIGEST-MD5 # (advanced option) # See # http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html # http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html # eg. example.org #ldap.realm: # (advanced option) Context factory class. # Default is 'com.sun.jndi.ldap.LdapCtxFactory'. #ldap.contextFactoryClass: com.sun.jndi.ldap.LdapCtxFactory
Restart the SonarQube server and check the log file for:
INFO org.sonar.INFO Authentication plugin: class com.teklabs.sonar.plugins.ldap.LdapAuthenticator INFO org.sonar.INFO Authentication plugin started