Skip to end of metadata
Go to start of metadata

Table of Contents

You can configure SonarQube authentication and authorization to an LDAP server (including LDAP Service of Active Directory) by configuring the correct values in your $SONARQUBE_HOME/conf/sonar.properties file.

The main features are:

  • Password checking against the external authentication engine.
  • Automatic synchronization of usernames and emails.
  • Automatic synchronization of relationships between users and groups (authorization).
  • Ability to authenticate against both the external and the internal authentication systems. There is an automatic fallback on SonarQube internal system if the LDAP server is down.

During the first authentication trial, if the user's password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database. You can choose to have group membership synchronized as well, but this is not the default.


Apache DS

OpenLDAP

OpenDS

Active Directory

Anonymous

(tick)

(tick)

(tick)


Simple

(tick)

(tick)

(tick)

(tick)

LDAPS

(tick)

(tick)


(tick)

DIGEST-MD5

(tick)


(tick)

(tick)

CRAM-MD5

(tick)


(tick)

(tick)

GSSAPI

(tick)




(tick) - means that it has been successfully tested

Usage

  1. Configure the LDAP plugin by editing the SONARQUBE_HOME/conf/sonar.properties file (see table below)

  2. Restart the SonarQube server and check the log file for:

    INFO org.sonar.INFO Security realm: LDAP ...
    INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK
  3. Log into SonarQube
  4. On log out users will be presented login page (/sessions/login), where they can choose to login as technical user or a domain user by passing appropriate credentials

From SonarQube Scanners, we recommend using local technical users for authentication against SonarQube Server .

General Configuration

These properties are already present, though commented out, in your sonar.properties file.

PropertyDescriptionDefault valueMandatoryExample
sonar.security.realm

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.

None

Yes

LDAP (only possible value)
sonar.authenticator.downcaseSet to true when connecting to a LDAP server using a case-insensitive setup.falseNo
ldap.url
URL of the LDAP server. Note that if you are using ldaps, then you should install the server certificate into the Java truststore.None

Yes

ldap://localhost:10389
ldap.bindDn
Bind DN is the username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory.NoneNocn=sonar,ou=users,o=mycompany
ldap.bindPassword
Bind Password is the password of the user to connect with. Leave this blank for anonymous access to the LDAP directory.NoneNosecret
ldap.authentication
Possible values: simple | CRAM-MD5 | DIGEST-MD5 | GSSAPI See http://java.sun.com/products/jndi/tutorial/ldap/security/auth.htmlsimpleNo
ldap.realm

See http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html
http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html

NoneNoexample.org
ldap.contextFactoryClass
Context factory class.com.sun.jndi.ldap.LdapCtxFactoryNo
ldap.StartTLS

Enable usage of StartTLS

Available since version 2.1.

falseNo
ldap.followReferrals

Follow or not referrals. See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html

Available since version 2.2.

trueNo

User Mapping

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.user.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for users.None

Yes

cn=users,dc=example,dc=org
ldap.user.request

LDAP user request.

Available since version 1.2.

(&(objectClass=inetOrgPerson)(uid={login}))
No
(&(objectClass=user)(sAMAccountName={login}))
ldap.user.realNameAttributeAttribute in LDAP defining the user’s real name.cnNo
ldap.user.emailAttributeAttribute in LDAP defining the user’s email.mailNo

Group Mapping

Only groups are supported (not roles). Only static groups are supported (not dynamic groups).

When group mapping is configured (i.e the below ldap.group.* properties are configured), membership in LDAP server will override any membership locally configured in SonarQube. LDAP server becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).

For the delegation of authorization, groups must be first defined in SonarQube. Then, the following properties must be defined to allow SonarQube to automatically synchronize the relationships between users and groups.

PropertyDescriptionDefault valueMandatoryExample for Active Directory Server
ldap.group.baseDnDistinguished Name (DN) of the root node in LDAP from which to search for groups.NoneNocn=groups,dc=example,dc=org
ldap.group.request

LDAP group request.

Available since version 1.2.

(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))
No
(&(objectClass=group)(member={dn}))
ldap.group.idAttribute

Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode.

cnNo
sAMAccountName

Configuration Examples

Example of LDAP Configuration

# LDAP configuration
# General Configuration
sonar.security.realm=LDAP
ldap.url=ldap://myserver.mycompany.com
ldap.bindDn=my_bind_dn
ldap.bindPassword=my_bind_password
 
# User Configuration
ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

# Group Configuration
ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))

Advanced Topics

See the Advanced Topics sub-page for authentication methods, multiple servers and troubleshooting tips.

  • No labels