0

Hi I have been struggling to get Active Directory work with SonarQube 5.6 LTS

Please find below the configuration details

sonar.security.realm = LDAP
sonar.authenticator.downcase=false
ldap.url=ldap://xxx.xxxxxx.com:3268

ldap.user.baseDn=cn=users,dc=xxxxxx,dc=com
ldap.user.request = (&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

ldap.group.baseDn=cn=groups,dc=xxxxxx,dc=com
ldap.group.request=(&(objectClass=group)(member={dn}))
ldap.group.idAttribute = sAMAccountName

ldap.realm = xxxxxx.com
ldap.authentication = simple
ldap.baseDn = dc=xxxxxx dc=com
ldap.bindDn = xxxxxx\\xxxxxx
ldap.bindPassword = xxxxxxx

I do see Test LDAP Connection Ok in the sonarqube logs

2017.01.16 19:00:30 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://xxx.xxxxxx.com:389,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.principal=xxxxxx\xxxxxx,
 com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authentication=simple,
 java.naming.security.sasl.realm=xxxxxx.com,
 java.naming.referral=follow}
 2017.01.16 19:00:30 INFO  web[o.s.p.l.LdapContextFactory] Test LDAP connection on ldap://xxx.xxxxxx.com:389: OK

However, when I try to login with my LDAP username and password , I am not allowed to login. The following message is observed in the logs

 2017.01.16 16:44:28 DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user xxxxxx\xxxxx
 2017.01.16 16:44:28 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=cn=users,dc=xxxxxx,dc=com, scope=subtree,
 request=(&(objectClass=user)(sAMAccountName={0})),
 parameters=[xxxxxx\xxxxxx], attributes=[mail, cn]}
 2017.01.16 16:44:28 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://xxx.xxxxxx.com:389,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.principal=xxxxxx\xxxxxx,
 com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authentication=simple,
 java.naming.security.sasl.realm=xxxxxx.com,
 java.naming.referral=follow}
 2017.01.16 16:44:28 DEBUG web[o.s.p.l.LdapUsersProvider] User xxxxxx\xxxxxx not found in <default>
 2017.01.16 16:44:28 DEBUG web[http] POST /sessions/login | time=69ms
 2017.01.16 16:44:38 DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user xxxxxx\xxxxxx
 2017.01.16 16:44:38 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=cn=users,dc=xxxxxx,dc=com, scope=subtree,
 request=(&(objectClass=user)(sAMAccountName={0})),
 parameters=[xxxxxx\xxxxxx], attributes=[mail, cn]}
 2017.01.16 16:44:38 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://DC1.xxxxxx.com:389,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.principal=xxxxxx\xxxxxx,
 com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authentication=simple,
 java.naming.security.sasl.realm=xxxxxx.com,
 java.naming.referral=follow}
 2017.01.16 16:44:38 DEBUG web[o.s.p.l.LdapUsersProvider] User xxxxxx\xxxxxx not found in <default>
 2017.01.16 16:44:38 DEBUG web[http] POST /sessions/login | time=55ms

I have tried the following so far:

  1. Tried using ports : 3268 / 389
  2. Tried ldapsearch from the command line ldapsearch -H ldap://xxx.xxxxx.com:3268 dc=xxxxx,dc=com -D 'xxxxxx\xxxxxx' -W But this also returns empty

I have only one admin user that is configured locally and I am able to login as admin

The same username and the server details work well when I configured Active directory on Jenkins

Where am I going wrong ? What are the other options that I can try ?

Swaminathan K PMP
  • 3
  • 4

1 Answers1

0

ldap.bindDn = ntdomain\logonid is certainly a bad idea, because sonarqube (according to the traces provided by you) searches for the AD user entry with filter predicate (sAMAccountName=ntdomain\logonid). You're supposed to use only the sAMAccountname for ldap.bindDn.

You need to specify the distinguished name of the user (something like cn=...,cn=users,dc=company,dc=tld) to bind ldapsearch to AD cause there is no mapping from sAMAccountName to dn provided by the ldapsearch tool.

marabu
  • 1,166
  • 7
  • 9
  • I corrected it as ldap.bindDn = logonid.SonarQube fails to start in this case with the following error .'2017.01.18 12:03:01 INFO web[o.s.p.l.LdapContextFactory] Test LDAP connection: FAIL 2017.01.18 12:03:01 ERROR web[o.a.c.c.C.[.[.[/]] Exception sending context initialized event to listener instance of class org.sonar.server.platform.PlatformServletContextListener org.sonar.plugins.ldap.LdapException: Unable to open LDAP connection' – Swaminathan K PMP Jan 18 '17 at 06:36
  • Sonarqube is up if I use ldap.bindDn=login@domain.com format. But the error persists – Swaminathan K PMP Jan 18 '17 at 06:45
  • Actually, I misinterpreted your log excerpt, when I thought that your ldap.bindDn would be mapped, when clearly a user logon attempt is shown. So, I would expect SonarQube to bind successfully to AD if the dn of the service account is used. It's your {login} that must not be given as ntdomain\logonid as your ldap.user.request template expects an unqualified sAMAccountName only. Of course, you can adjust your template to work with userPrincipalName, too. – marabu Jan 18 '17 at 08:12