SonarQube: changing of rights overwritten

449 views
Skip to first unread message

andreas...@hamburgsud.com

unread,
Mar 22, 2016, 6:10:48 AM3/22/16
to SonarQube
Configuration: SonarQube version 5.3., ldap plugin 1.5.1 (and also other plugins which are not of interest here)
Users & groups are managed by ldap (we use Active Directory)
Groups have been setup in SonarQube with earlier versions

Case:
As administrator, go to system - security - groups, add an existing user to a group which either exist in ldap or not. Of course, "Done" is selected to confirm the change.
Afterwards, let the user login to SonarQube.
The user is removed from the group in SonarQube.
No messages in the sonar.log

Questions: What is the cause of the problem?
How to solve it? I guess the problem is close related to management of users and groups in ldap, but I do not have a clear picture how.

G. Ann Campbell

unread,
Mar 22, 2016, 8:27:02 AM3/22/16
to SonarQube, andreas...@hamburgsud.com
Hi,

Just so you know, people tend to get testy here if you don't include the social niceties (E.G. 'Hi', 'Thanks' &etc.).

To answer your questions, one of the features of the LDAP plugin is the 
Automatic synchronization of relationships between users and group
So you'll need to add your user to the group in AD.


Ann

On Tuesday, 22 March 2016 06:10:48 UTC-4:

Mike Barry

unread,
Mar 22, 2016, 9:13:41 AM3/22/16
to SonarQube, andreas...@hamburgsud.com
This is actually one of the more annoying "features" that I haven't been able to figure out how to disable. I don't want to get infrastructure involved in creating a ton of AD groups for each of our projects (admin, issue admin, user PER project!). It's a ton of red tape with audit, etc. In the end I ended up using existing groups but over permissioning people. There really should be a way to disable group sync and just use LDAP for authentication and user creation.

Pelzer, Dr. Andreas

unread,
Mar 22, 2016, 10:38:06 AM3/22/16
to G. Ann Campbell, SonarQube

Hi Ann,

 

thanks for recommendation.

I did not want to be impolite, but just give short information.

 

To your suggestion: But what happens, if the group does not exist in ldap? Even then the user is removed from the (local SonarQube) group.

 

Kind Regards

Andreas Pelzer

Julien Lancelot

unread,
Mar 22, 2016, 10:41:49 AM3/22/16
to Mike Barry, SonarQube, andreas...@hamburgsud.com
Hi Mike,

In order to disable group synchronisation from LDAP, you can simply remove properties ldap.group.*. 

Regards

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/f8f5bcbc-cb89-42fa-ba15-181ca0bed6e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Julien LANCELOT | SonarSource

Julien Lancelot

unread,
Mar 22, 2016, 10:45:17 AM3/22/16
to Pelzer, Dr. Andreas, G. Ann Campbell, SonarQube
Hi Pelzer,

As mentioned in the docs (Group Mapping) => membership in LDAP/AD will override any membership locally configured in SonarQube.

So if in SonarQube, you assign a user to a group where in LDAP this user is not assigned to this group, he'll not belong anymore to this group when he'll logged to Sonarqube.

Regards

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Mike Barry

unread,
Mar 22, 2016, 10:49:22 AM3/22/16
to SonarQube, mi...@barry.io, andreas...@hamburgsud.com
Thank you for pointing this out!
Reply all
Reply to author
Forward
0 new messages