About Simple Ldap Connection Between SonarQube and Active Directory

Question

I'm running the SonarQube enterprise version on my on premise server. I am trying to ensure ldap integration with active directory on the SonarQube Web side.

I opened a similar task on the Sonarqube community forum and follow it through this link.

Now I'm trying to do my first tests by connecting with simple method without ssl.

The Ldap connection is successful, but when the user sends a login request, it gives the error code "LDAP: error code 1 - 000004DC: LdapErr: dsid-0C090A4C". In many places, the user has written that there is a password error, but I can get a response when manually check it with the ldapsearch command.

I also have different ldap applications that use my active directory environment and they work well. (eg jira, jenkins etc ..)

When I investigated this problem, I found that many users can connect with similar configurations. When I check attribute and other definitions with the Ldap Admin tool, the parameter that requires a different setting does not appear. But I can't connect. I got a successful result on the test I did manually, and I know that I actually need to be able to connect. But it looks like a bug on the basis of this app.

I am sharing my information below, can you help me?

Ldap User: test.user
Server Os: CentOS Linux release 7.9.2009 (Core)
Sonarqube Version: sonarqube-enterprise-8.6.0.39681 (onpremise)

[root@sonarqubeserver]# cat sonar.properties
...
sonar.security.realm=LDAP
ldap.url=ldap://192.168.1.2:3268

ldap.realm=mydomain.net
ldap.authentication=simple
sonar.authenticator.downcase=true

ldap.bindDN=CN=adsvcuser,OU=ServiceAccounts,DC=mydomain,DC=net
ldap.bindPassword=PasswordTest123!Testtt


ldap.user.baseDn=OU=TR,OU=User Accounts,DC=mydomain,DC=net
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

## ldap Group ##
ldap.group.baseDn=OU=Groups,DC=mydomain,DC=net
ldap.group.request=(&(objectClass=group)(member={dn}))
ldap.group.idAttribute=sAMAccountName


[root@sonarqubeserver]# ldapsearch -x -b "OU=TR,OU=User Accounts,DC=mydomain,DC=net" -D "CN=adsvcuser,OU=ServiceAccounts,DC=mydomain,DC=net" -H ldap://192.168.1.2:3268 -w 'PasswordTest123!Testtt' "(&(objectClass=user)(sAMAccountName=test.user))"
# extended LDIF
#
# LDAPv3
# base <OU=TR,OU=User Accounts,DC=mydomain,DC=net> with scope subtree
# filter: (&(objectClass=user)(sAMAccountName=test.user))
# requesting: ALL
#

# test.user, TR, User Accounts, mydomain.net
dn: CN=test.user,OU=TR,OU=User Accounts,DC=mydomain,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test.user
sn: user
c: TR
l: Istanbul
telephoneNumber: 12312412312412
givenName: test
distinguishedName: CN=test.user,OU=TR,OU=User Accounts,DC=mydomain,DC=net
instanceType: 4
whenCreated: 12312412341232.0Z
whenChanged: 41231231241231.0Z
displayName: test.user | MyDomain
uSNCreated: 35664044
memberOf: xxx
...
uSNChanged: 174906273
name: test.user
objectGUID:: fklasjdkalsjdklafjakls==
userAccountControl: 512
primaryGroupID: 513
objectSid:: asajknfajsnqwe1samndnomnfndsmadn==
sAMAccountName: test.user
sAMAccountType: 214123342
userPrincipalName: test.user@mydomain.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=net
dSCorePropagationData: 12312412312563.0Z
dSCorePropagationData: 56890458497343.0Z
lastLogonTimestamp: 132540485078534934
mail: test.user@mydomain.net
manager: CN=Mrs X,OU=TR,OU=User Accounts,DC=mydomain,DC=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


[root@sonarqubeserver]# tail -f /var/log/sonarqube/web.log

2021.01.03 15:15:32 INFO  web[][o.s.s.s.LogServerId] Server ID: 21das2d-DASdlak2142ld2aksdlsk12
2021.01.03 15:15:32 INFO  web[][org.sonar.INFO] Security realm: LDAP
2021.01.03 15:15:32 INFO  web[][o.s.a.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=OU=TR,OU=User Accounts,DC=mydomain,DC=net, request=(&(objectClass=user)(sAMAccountName={0})), realNameAttribute=cn, emailAttribute=mail}
2021.01.03 15:15:32 INFO  web[][o.s.a.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Groups,DC=mydomain,DC=net, idAttribute=sAMAccountName, requiredUserAttributes=[dn], request=(&(objectClass=group)(member={0}))}
2021.01.03 15:15:32 DEBUG web[][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.sasl.realm=mydomain.net, java.naming.provider.url=ldap://192.168.1.2:3268, java.naming.security.authentication=simple}
2021.01.03 15:15:32 INFO  web[][o.s.a.l.LdapContextFactory] Test LDAP connection on ldap://192.168.1.2:3268: OK
2021.01.03 15:15:32 INFO  web[][org.sonar.INFO] Security realm started
2021.01.03 15:15:32 WARN  web[][o.s.a.s.w.WebService$Action] The response example is not set on action api/plugins/download
...
...
...
2021.01.03 15:15:44 DEBUG web[][o.s.s.p.ServerLifecycleNotifier] Notify ServerStopHandler handlers...
2021.01.03 15:15:44 INFO  web[][o.s.s.p.Platform] WebServer is operational
2021.01.03 15:15:44 DEBUG web[][o.s.s.p.Platform] Background initialization of SonarQube done
2021.01.03 15:16:11 DEBUG web[AXbILSguJzbHg1R2AAAB][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|127.0.0.1|82.24.129.13][login|]
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][o.s.a.l.LdapUsersProvider] Requesting details for user test.user
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][o.s.a.l.LdapSearch] Search: LdapSearch{baseDn=OU=TR,OU=User Accounts,DC=mydomain,DC=net, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[test.user], attributes=[mail, cn]}
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][o.s.a.l.LdapContextFactory] Initializing LDAP context {java.naming.referral=follow, com.sun.jndi.ldap.connect.pool=true, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.sasl.realm=mydomain.net, java.naming.provider.url=ldap://192.168.1.2:3268, java.naming.security.authentication=simple}
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][o.s.a.l.LdapUsersProvider] [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839]
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839]
    at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
    at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
    at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
    at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1815)
    at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
    at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
    at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
    at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
    at org.sonar.auth.ldap.LdapSearch.find(LdapSearch.java:130)
    at org.sonar.auth.ldap.LdapSearch.findUnique(LdapSearch.java:143)
    at org.sonar.auth.ldap.LdapUsersProvider.getUserDetails(LdapUsersProvider.java:80)
    at org.sonar.auth.ldap.LdapUsersProvider.doGetUserDetails(LdapUsersProvider.java:58)
    at org.sonar.server.authentication.CredentialsExternalAuthentication.doAuthenticate(CredentialsExternalAuthentication.java:96)
    at org.sonar.server.authentication.CredentialsExternalAuthentication.authenticate(CredentialsExternalAuthentication.java:90)
    at org.sonar.server.authentication.CredentialsAuthentication.authenticate(CredentialsAuthentication.java:66)
    at org.sonar.server.authentication.CredentialsAuthentication.authenticate(CredentialsAuthentication.java:54)
    at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:121)
    at org.sonar.server.authentication.ws.LoginAction.doFilter(LoginAction.java:100)
    at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
    at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:81)
    at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
    at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
    at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][o.s.a.l.LdapUsersProvider] User test.user not found in <default>
2021.01.03 15:16:23 ERROR web[AXbILSguJzbHg1R2AAAE][o.s.s.a.CredentialsExternalAuthentication] Error during authentication
org.sonar.auth.ldap.LdapException: Unable to retrieve details for user test.user in <default>
    at org.sonar.auth.ldap.LdapUsersProvider.getUserDetails(LdapUsersProvider.java:84)
    at org.sonar.auth.ldap.LdapUsersProvider.doGetUserDetails(LdapUsersProvider.java:58)
    at org.sonar.server.authentication.CredentialsExternalAuthentication.doAuthenticate(CredentialsExternalAuthentication.java:96)
    at org.sonar.server.authentication.CredentialsExternalAuthentication.authenticate(CredentialsExternalAuthentication.java:90)
    at org.sonar.server.authentication.CredentialsAuthentication.authenticate(CredentialsAuthentication.java:66)
    at org.sonar.server.authentication.CredentialsAuthentication.authenticate(CredentialsAuthentication.java:54)
    at org.sonar.server.authentication.ws.LoginAction.authenticate(LoginAction.java:121)
    at org.sonar.server.authentication.ws.LoginAction.doFilter(LoginAction.java:100)
    at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:139)
    at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:108)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:81)
    at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:76)
    at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:48)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:58)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:62)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
    at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:256)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839]
    at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3299)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
    at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)
    at java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1875)
    at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
    at java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1815)
    at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418)
    at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396)
    at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378)
    at java.naming/javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286)
    at org.sonar.auth.ldap.LdapSearch.find(LdapSearch.java:130)
    at org.sonar.auth.ldap.LdapSearch.findUnique(LdapSearch.java:143)
    at org.sonar.auth.ldap.LdapUsersProvider.getUserDetails(LdapUsersProvider.java:80)
    ... 51 common frames omitted
2021.01.03 15:16:23 DEBUG web[AXbILSguJzbHg1R2AAAE][auth.event] login failure [cause|Unable to retrieve details for user test.user in <default>][method|FORM][provider|REALM|LDAP][IP|127.0.0.1|82.24.129.13][login|test.user]

Answer 1

The message says that you need to authenticate to read LDAP, which suggests you are doing anonymous bind. Probably it is caused by incorrect spelling of ldap.bindDN (should be ldap.bindDn). Try again with correct casing, chances are that SQ missed your bind configuration.