Sonarqube LDAP Group Filter not working

0
votes

I am running Sonarqube 6.7.1.35068 on Windows Server 2016 with LDAP plugin 2.2. I have LDAP working, as new users are able to log into Sonarqube with their domain credentials and create an account, but my group filter is not working. I am trying to filter logins based on a specific AD security group membership, but unfortunately all users on the domain are able to login, as the group filtering is not working. The following is my LDAP configuration in the properties file:

#----- LDAP configuration
# General Configuration
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://ldap.domain.com:3268
[email protected]
ldap.bindPassword=********

# User Configuration
ldap.user.baseDn=dc=ad,dc=domain,dc=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

# Group Configuration
ldap.group.baseDn=CN=Sonarqube,OU=Software Access,OU=Security Groups,OU=AD Groups,DC=ad,DC=domain,DC=com
ldap.group.request=(&(objectClass=group)(memberOf={dn}))
ldap.group.idAttribute=sAMAccountName

I have tried several different combinations for the ldap.group.baseDn and ldap.group.request values, but have not had any success with user filtering based on AD group membership. There unfortunately are no good specific detailed examples on how to configure these 2 values for Sonarqube. Anyone?

2
ldapsonarqube
You expect your LDAP filtering to not match and thus not authenticate users who are not members of certain groups?G. Ann - SonarSource Team
Yes, exactly. If a user is a member of the Sonarqube AD security group, then they are allowed to login to Sonarqube. If a user is not a member of the Sonarqube AD security group, then they are not allowed to login to Sonarqube.Mark Conway
Then this isn't related to SonarQube as such, is it?G. Ann - SonarSource Team
It is related to the syntax required in the LDAP group configuration for Sonarqube. I have this working in all of my Engineering solutions (JIRA, Jenkins, etc.). I need clarification on the required syntax to successfully filter users based on AD group membership using Sonarqube LDAP group configuration. The docs provided do not provide the necessary details.Mark Conway
Are you looking for this?Jeroen Heier

2 Answers

1
votes

Also running Sonarqube 6.7.1 on Windows Server 2016 with LDAP plugin 2.2
The group filter configuration was the tricky part, for me it works like that:

# User Configuration
ldap.user.baseDn=DC=lan,DC=domain,DC=de
ldap.user.realNameAttribute=cn
ldap.user.LastNameAttribute=sn
ldap.user.firstNameAttribute=givenName
ldap.user.emailAttribute=mail
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

# Group Configuration
ldap.group.baseDn=DC=lan,DC=domain,DC=de
ldap.group.idAttribute=cn
ldap.group.request=(&(objectClass=group)(member={dn}))
1
votes

The Group configuration is not required. You can restrict SonarQube access based on a specific LDAP/AD group membership by restricting the user-filter option on the ldap.user.request:

ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-group,OU=groups,DC=example,DC=com))

My final working config is as follows:

#----- General Configuration
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://ldap.domain.com:3268
[email protected]
ldap.bindPassword=********

#----- User Configuration
ldap.user.baseDn=dc=ad,dc=domain,dc=com
ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(memberOf=CN=ldap-group,OU=groups,DC=example,DC=com))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail