This is an archived version of the documentation for SonarQube-6.7.
See the Latest Documentation for current functionality.

LDAP Plugin

By SonarSource – GNU LGPL 3 – Issue TrackerSources – Supported by SonarSource
More versionsFewer versions
LDAP 2.2 – Jul 07, 2017 – SonarQube 6.7+ (Compatible with LTS)
Allow to not follow referrals, deprecate auto-discovery feature
DownloadRelease notesLDAP 2.1 – Oct 24, 2016
Support of StartTLS and bug fixes
Release notesLDAP 2.0 – Jun 08, 2016
Extract SSO capabilities in a dedicated plugin.
LDAP Plugin still supports both LDAP and Active Directory environments.
Release notesLDAP 1.5.1 – Dec 02, 2015
Bug fixes for Active Directory environments
Release notesLDAP 1.5 – Nov 03, 2015
Full support of auto-discovery and SSO experience when using Active Directory
Release notesLDAP 1.4 – Jan 09, 2014
Supports more than one server in auto-discovery mode (using DNS entries)
Release notes

Table of Contents

Error rendering macro 'toc'

[com.ctc.wstx.exc.WstxLazyException] com.ctc.wstx.exc.WstxEOFException: Unexpected EOF in CDATA section at [row,col {unknown-source}]: [161,425]

Description

This plugin allows the delegation of SonarQube authentication and authorization to an LDAP server (including LDAP Service of Active Directory).

The main features are:

  • Password checking against the external authentication engine.

  • Automatic synchronization of usernames and emails.

  • Automatic synchronization of relationships between users and groups (authorization).

  • Ability to authenticate against both the external and the internal authentication systems. There is an automatic fallback on SonarQube internal system if the LDAP server is down.

During the first authentication trial, if the password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database.

Requirements

 

Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

 

Simple

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

LDAPS

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

 

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

DIGEST-MD5

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

 

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

CRAM-MD5

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

 

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

GSSAPI

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png

 

 

 

images/s/en_GB/7402/131c587a84e4ee088cb3d1cec7ecd765481c9c79/_/images/icons/emoticons/check.png - means that it has been successfully tested

Installation

  1. Install the plugin through the Marketplace or download it into the SONARQUBE_HOME/extensions/plugins directory

  2. Restart the SonarQube server

Usage

  1. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/sonar.properties file (see table below)

  2. Restart the SonarQube server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP ...

    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK

  3. Log into SonarQube

  4. On log out users will be presented login page (/sessions/login), where they can choose to login as technical user or a domain user by passing appropriate credentials

From SonarQube Scanners, we recommend using local technical users for authentication against SonarQube Server .

General Configuration

Property

Description

Default value

Mandatory

Example

sonar.security.realm

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.

None

Yes

LDAP (only possible value)

sonar.security.updateUserAttributes

Supported only for SonarQube versions 3.6 - 5.3.

If set to true, at each login, user's attributes (name and email) are re-synchronized. If set to false, user's attributes are not re-synchronized.

Note that if set to false, user's attributes are synchronized just once, at the very first login.

true

No

sonar.authenticator.downcase

Set to true when connecting to a LDAP server using a case-insensitive setup.

false

No

ldap.url

URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.

None

Yes

ldap://localhost:10389

ldap.bindDn

Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory.

None

No

cn=sonar,ou=users,o=mycompany

ldap.bindPassword

Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory.

None

No

secret

ldap.authentication

Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html

simple

No

ldap.realm

See http://java.sun.com/products/jndi/tutorial/ldap/security/digest.htmlhttp://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html

None

No

example.org

ldap.contextFactoryClass

Context factory class.

com.sun.jndi.ldap.LdapCtxFactory

No

ldap.StartTLS

Enable usage of StartTLS

Available since version 2.1.

false

No

ldap.followReferrals

Follow or not referrals. See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html

Available since version 2.2.

true

No

User Mapping

Property

Description

Default value

Mandatory

Example for Active Directory Server

ldap.user.baseDn

Distinguished Name (DN) of the root node in LDAP from which to search for users.

None

Yes

cn=users,dc=example,dc=org

ldap.user.request

LDAP user request.

Available since version 1.2.

(&(objectClass=inetOrgPerson)(uid={login}))

No

(&(objectClass=user)(sAMAccountName={login}))

ldap.user.realNameAttribute

Attribute in LDAP defining the user’s real name.

cn

No

ldap.user.emailAttribute

Attribute in LDAP defining the user’s email.

mail

No

Group Mapping

Only groups are supported (not roles). Only static groups are supported (not dynamic groups).

When group mapping is configured (i.e the below ldap.group.* properties are configured), membership in LDAP server will override any membership locally configured in SonarQube. LDAP server becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).

For the delegation of authorization, groups must be first defined in SonarQube. Then, the following properties must be defined to allow SonarQube to automatically synchronize the relationships between users and groups.

Property

Description

Default value

Mandatory

Example for Active Directory Server

ldap.group.baseDn

Distinguished Name (DN) of the root node in LDAP from which to search for groups.

None

No

cn=groups,dc=example,dc=org

ldap.group.request

LDAP group request.

Available since version 1.2.

(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))

No

(&(objectClass=group)(member={dn}))

ldap.group.idAttribute

Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode.

cn

No

sAMAccountName

Configuration Examples

Example of LDAP Configuration

# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
ldap.url=ldap://myserver.mycompany.com
ldap.bindDn=my_bind_dn
ldap.bindPassword=my_bind_password
 
# User Configuration
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
 
# Group Configuration
ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))