SonarQube 5.6 LDAP (FreeIPA) authenticated users have no groups
474 views
Skip to first unread message
obog...@gmail.com
May 12, 2017, 8:28:38 AM5/12/17
to SonarQube
I saw some posts on StackOverflow, like this one and this, but problem still exists. I updated SonarQube from 5.3 to 5.6.
Here's example of my config:
Here's example of my config:
sonar.security.realm=LDAP
sonar.security.savePassword=false
sonar.security.localUsers=admin
ldap.authentication=simple
ldap.url=ldap://ipa.company.com
ldap.bindDn=uid=ldap_search,cn=users,cn=accounts,dc=company,dc=com
ldap.bindPassword=*************
ldap.user.baseDn=cn=users,cn=accounts,dc=company,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
ldap.group.baseDn=cn=groups,cn=accounts,dc=company,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
ldap.group.idAttribute=cn
The problem is in authentication. If i create local user, then i can't authenticate using same LDAP (FreeIPA) account.
If i authenticate first time with FreeIPA account i see newly created sonar user, but it has no groups (sonar-users for example, but he is actually a member of sonar-users in FreeIPA groups)
Here's example of test account in sonarqube - http://joxi.ru/zAN46EXcb9gem9, and test account in FreeIPA - http://joxi.ru/VrwnzgDcBeGxAX.
Even, when i login with admin and add groups to test user, they disappear after next login.
Here's example from mysql sonar.users db:
| id | login | updated_at | external_identity | external_identity_provider | user_local |
| 32 | test | 1494580874688 | test | sonarqube | 0 |
Julien Lancelot
May 15, 2017, 8:30:58 AM5/15/17
to obog...@gmail.com, SonarQube
Hi Hi,
First, please be aware that the common courtesies (Hi, Thanks, ...) are appreciated in this group.
Then, I'm not really sure to understand you're problem :
- Is your problem about groups synchronization ?
- Is your problem about creating a local user then authenticate him from external authentication system ?
Regards,
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/50581f00-7605-4f89-9652-11725d62a620%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Julien Lancelot | SonarSource
obog...@gmail.com
May 22, 2017, 7:49:08 AM5/22/17
to SonarQube, obog...@gmail.com
Hi Julien, thanks for your reply! The problem is in groups synchronization, because if i clearly understand, according to Sonar LDAP docs (https://docs.sonarqube.org/display/PLUG/LDAP+Plugin) - "Every user created in SonarQube will be able to authenticate against SonarQube's own database of users, rather than against any external tool (LDAP, Active Directory, Crowd, etc.)", so the second question no more relevant.
So the problem is in groups in FreeIPA and Sonar, they are not synchronized at all, actually, i don't understand why... I suppose maybe there is not clear example of LDAP Group configuration in documentation, again maybe...
понедельник, 15 мая 2017 г., 15:30:58 UTC+3 пользователь Julien Lancelot написал:
So the problem is in groups in FreeIPA and Sonar, they are not synchronized at all, actually, i don't understand why... I suppose maybe there is not clear example of LDAP Group configuration in documentation, again maybe...
понедельник, 15 мая 2017 г., 15:30:58 UTC+3 пользователь Julien Lancelot написал:
Julien Lancelot
May 22, 2017, 9:35:49 AM5/22/17
to obog...@gmail.com, SonarQube
Hi,
In order for group sync to work, group name in the external auth system must match the group name in SonarQube (as explained here : https://docs.sonarqube.org/display/PLUG/LDAP+Plugin#LDAPPlugin-GroupMapping).
Is it your case ?
Regards,
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/10c11abc-ec76-47ef-934b-376249454eab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
obog...@gmail.com
Jun 6, 2017, 11:11:00 AM6/6/17
to SonarQube, obog...@gmail.com
Hi, yes exactly! This is my case and i still can't find any solution.
понедельник, 22 мая 2017 г., 16:35:49 UTC+3 пользователь Julien Lancelot написал:
понедельник, 22 мая 2017 г., 16:35:49 UTC+3 пользователь Julien Lancelot написал:
obog...@gmail.com
Jun 7, 2017, 8:03:21 AM6/7/17
to SonarQube, obog...@gmail.com
After a couple of weeks i finally found right solution! As i supposed problem was in group synchronization, so right config for group sync must looks like next one for FreeIPA configuration:
Difference is in cn=groups,cn=compat,dc=company,dc=com. You can't use
пятница, 12 мая 2017 г., 15:28:38 UTC+3 пользователь obog...@gmail.com написал:
ldap.group.baseDn=cn=groups,cn=compat,dc=company,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
ldap.group.idAttribute=cnmemberUid filter with cn=accounts.пятница, 12 мая 2017 г., 15:28:38 UTC+3 пользователь obog...@gmail.com написал:
Julien Lancelot
Jun 7, 2017, 8:08:57 AM6/7/17
to obog...@gmail.com, SonarQube
Hi,
It's good to know that you've solved your issue, and thanks for sharing how you did it.
Regards.
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4cc97ba8-39d7-4762-bb36-304e03d2fdf0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages