Sonar with ldap plugin does not use LDAP without domain prefix

0
votes

I'm using sonar 5.6 LTS with LDAP plugin 2.1.0.

The basic LDAP configuation is working fine. Sonar can connect to LDAP (in my case active directory). sonar.log:

Test LDAP connection on ldaps://ldap.mycompany:636: OK

My user mapping is

ldap.user.baseDn=OU=Users,OU=Accounts,DC=mycompany
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

When I try to login with mycompany\tobi sonar logs:

DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user mycompany\tobi
...
DEBUG web[o.s.p.l.LdapUsersProvider] User mycompany\tobi not found in <default>

This makes sense as sAMAccountName contains the value tobi and not mycompany\tobi. But when using just tobi as login, sonarqube does not connect to LDAP for authentication. I just get "Authentication failed" and the log file contains only

DEBUG web[http] POST /sonar/sessions/login | time=235ms

Any ideas why sonarqube does not always use LDAP? Thanks, Tobi

1
ldapsonarqube
Why you don't use "tobi" instead of "mycompany\tobi" to login ?Godin
Because sonarqube will not use ldap without the domain prefix. It would just check the local accounts. At least this is what I see in the log files.Tobi
If local account exist, then it will use local, otherwise it will go to LDAP.Godin
@Godin: Ok, so I guess this is the real issue: when just using tobi as login, sonarqube does not search for a LDAP user. I just get "Authentication failed" at the login screen and sonar just logs: DEBUG web[http] POST /sonar/sessions/login | time=235ms -> no communication with LDAP (even after deleting all local accounts but admin)...Tobi

1 Answers

0
votes

Thanks to Godin, I've finally found the answer:

The root cause is that I had a local account with the same login credentials before using LDAP. When removing users using the web interface, they are not removed permanently from the database. Instead, they are just deactivated.

I connected to the (postgresql) database and in the users table there were still all old local accounts. So I just changed the login column of all deprecated local accounts with

UPDATE users SET login='username_local' WHERE login='username'

As those accounts are deactivated, they cannot be used to login into sonarqube but should not be removed as some other tables might still have references to them.