2
votes

We have just performed an upgrade to SonarQube 5.6 in a test environment. The current Sonar 5.2 is work fine in production with LDAP authentication.

I can login with my AD credentials, but i have no group membership when I check my permissions through the local admin account.

Also, in addition to my original LDAP account in Sonar, i now have a 2nd account with syntax [email protected] instead of just username. My username account still has the original group memberships as expected, but the new created [email protected] doesn't.

When i try to manually assign groups in sonar they are cleared on the next login, which is intended i believe.

I have enabled to debug log and this shows it does actually still find the memberOf groups from active directory, but it doesn't link them to my account. The groups still exist in Sonar.

2016.06.08 11:20:55 DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: nico
2016.06.08 11:20:55 DEBUG web[o.s.p.l.w.WindowsAuthenticationHelper] Getting details for user: nico
2016.06.08 11:20:55 DEBUG web[o.s.p.l.w.AdConnectionHelper] Getting active directory bind string for domain: Domain
2016.06.08 11:20:55 DEBUG web[o.s.p.l.w.AdConnectionHelper] Active directory bind string for the domain Domain: LDAP://Domain/DC=domain,DC=com
2016.06.08 11:20:56 DEBUG web[o.s.p.l.w.WindowsAuthenticationHelper] Details for user nico: UserDetails{name=Nico (nico), [email protected], userId=nico@Domain}
2016.06.08 11:20:56 DEBUG web[o.s.p.l.w.WindowsAuthenticationHelper] Authenticating user: nico
2016.06.08 11:21:03 DEBUG web[o.s.p.l.w.WindowsAuthenticationHelper] Getting groups for user: Domain\nico
2016.06.08 11:21:03 DEBUG web[o.s.p.l.w.WindowsAuthenticationHelper] Groups for the user Domain\nico : [Sonar Admins@Domain, Sonar Users@Domain]
2016.06.08 11:21:03 DEBUG web[o.s.s.u.NewUserNotifier] User created: nico@Domain. Notifying NewUserHandler handlers...

What I notice about the log is that the username property used doesn't look consistent. At one point it says "Authenticating user: nico" and in the other "getting groups for Domain\Nico" and in the end "Created user [email protected]" 3 different user names are used.

Is this something I can/should control ? or would this be an issue with SonarQube.

Looking forward to your feedback.

Nico

This is my LDAP Configuration

# LDAP configuration
# General Configuration
sonar.security.realm: LDAP
sonar.security.savePassword: true
sonar.authenticator.createUsers: true
sonar.security.localUsers: admin,sonar-build
ldap.url: ldap://ipadress:389
ldap.bindDn: CN=SonarUser,OU=Service Accounts,DC=domain,DC=com  
ldap.bindPassword: {aes}xxx

# User Configuration
ldap.user.baseDn: DC=domain,DC=com  
ldap.user.request: (&(objectClass=user)(sAMAccountName={login})) 
ldap.user.realNameAttribute: cn
ldap.user.emailAttribute: mail

# Group Configuration
ldap.group.baseDn: DC=domain,DC=com  
ldap.group.request: (&(objectClass=group)(memberUid={uid}))
3

3 Answers

3
votes

I have found this blog page, that is describing the changes in the LDAP addin

https://blogs.msdn.microsoft.com/visualstudioalm/2015/11/13/support-for-active-directory-and-single-sign-on-sso-in-the-sonarqube-ldap-plugin/

It confirms the problems i was having and the issues i still have today with duplicate user accounts.

Hope this helps someone else.

Nico

0
votes

I had a similar issue and got is solved by creating a group in SonarQube that matches a group discovered by the WindowsAuthenticationHelper.

In your case this means that you need a SonarQube group that is called Sonar Admins@Domain or Sonar Users@Domain.

When you log in again, the user will be added to this group automatically.

0
votes

A new Active Directory plugin is available which you can use instead of the LDAP one. Note as of this post it is still a release candidate (RC). This version is not displayed in the Update Center.

https://github.com/SonarQubeCommunity/sonar-activedirectory/

The plugin is available for download on the releases tab.

Wes