Group configuration Issue with LDAP
761 views
Skip to first unread message
Bindu
May 9, 2017, 10:48:17 AM5/9/17
to SonarQube
Hello,
I have an issue while trying to sync Active Directory group with SonarQube. User configuration is working properly and able to login to SQ but when i use group configuration and assign my team as admin it is not accepting. Please can someone help me if am doing any thing wrong in configuration.
sonar.log.level=DEBUG
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldaps://ed.hp.net:636
ldap.bindDn=cn=hpcr,ou=Applications,o=hp.com
ldap.bindPassword=****
ldap.authentication=simple
# User Configuration
ldap.user.baseDn=ou=People,o=hp.com
ldap.user.request=(&(objectClass=inetOrgPerson) (uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=uid
# Group Configuration
ldap.group.baseDn=ou=Groups,o=hp.com
ldap.group.request=(&(objectClass=hpGroup) (uniqueMember={cn}))
ldap.group.idAttribute=cn
logs when am trying to login with my credentials-
2017.05.09 13:15:40 INFO app[o.s.p.m.Monitor] Process[ce] is up
2017.05.09 13:15:47 DEBUG web[http] GET /sessions/new?return_to=%2F | time=103ms
2017.05.09 13:15:47 DEBUG web[http] GET /sessions/new?return_to=/ | time=106ms
2017.05.09 13:15:56 DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user p...@inc.com
2017.05.09 13:15:56 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[p...@inc.com], attributes=[uid, cn]}
2017.05.09 13:15:56 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ed.hp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcr,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.09 13:15:56 DEBUG web[http] GET /sessions/login | time=40ms
2017.05.09 13:15:58 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[p...@inc.com], attributes=null}
2017.05.09 13:15:58 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ed.hp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcr,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.09 13:15:58 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ed.hp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=p...@inc.com,ou=People,o=hp.com, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.09 13:15:59 DEBUG web[o.s.p.l.LdapGroupsProvider] Requesting groups for user p...@inc.com
2017.05.09 13:15:59 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[p...@inc.com], attributes=[dn]}
2017.05.09 13:15:59 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ed.hp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcr,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.09 13:15:59 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=Groups,o=hp.com, scope=subtree, request=(&(objectClass=groupOfUniqueNames)(uniqueMember={0})), parameters=[uid=p...@inc.com,ou=People,o=hp.com], attributes=[cn]}
2017.05.09 13:15:59 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ed.hp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcr,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.09 13:16:00 DEBUG web[o.s.s.u.NewUserNotifier] User created: p...@inc.com. Notifying NewUserHandler handlers...
2017.05.09 13:16:00 DEBUG web[http] POST /sessions/login | time=3994ms
2017.05.09 13:16:00 DEBUG web[MeasureFilter] Measure filter executed | time=2ms | request={display=list|onFavourites=true|cols=metric:alert_statusnamedate|pageSize=50|sort=name|asc=true} | result=0 rows,
2017.05.09 13:16:00 DEBUG web[MeasureFilter] Measure filter executed | time=4ms | request={display=list|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|pageSize=20|sort=name|asc=true} | result=1 rows,
2017.05.09 13:16:01 DEBUG web[http] GET / | time=309ms
2017.05.09 13:16:01 DEBUG web[MeasureFilter] Measure filter executed | time=5ms | request={display=none|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|filter=1|metrics=coverage,ncloc|fields=name,longName,qualifier|pageSize=30|page=1|sort=metric:ncloc|asc=false} | result=1 rows,
2017.05.09 13:16:01 DEBUG web[http] GET /measures/search_filter?filter=1&metrics=coverage,ncloc&fields=name,longName,qualifier&pageSize=30&page=1&sort=metric:ncloc&asc=false | time=89ms
2017.05.09 13:16:01 DEBUG web[http] GET /api/l10n/index?locale=en-US&ts=2017-05-09T09%3A15%3A38-0400 | time=26ms
2017.05.09 13:16:01 DEBUG web[http] GET /api/navigation/global | time=42ms
Thanks in advance
G. Ann Campbell
May 15, 2017, 12:10:51 PM5/15/17
to SonarQube
Hi,
What exactly do you mean by "it is not accepting"? You mean you can't log in? Or that (as expected) your group memberships are reset?
Ann
Bindu Boinapalli
May 15, 2017, 12:37:27 PM5/15/17
to G. Ann Campbell, SonarQube
Hi,
I passed default group configuration as i am not sure about correct attributes which were used in LDAP. I am checking with LDAP team, thanks for checking.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/cf19e220-a084-4eeb-a681-5c9ab61a0d86%40googlegroups.com.--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/wXtF7cM67fo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
Bindu
May 30, 2017, 11:00:19 PM5/30/17
to SonarQube
Hi Ann,
I am able to login with my LDAP user credentials. In SonarQube, i assigned admin role to LDAP group. My LDAP user belongs to this LDAP group but i am not getting admin role when i am logging to dashboard. This is the issue i am facing.
G. Ann Campbell
May 31, 2017, 10:30:35 AM5/31/17
to SonarQube
Hi,
Can you confirm that after login you retain the admin group? Because this sounds like a case of group synchronization from LDAP overwriting (as designed/configured) the groups assigned in SonarQube.
Ann
Bindu Boinapalli
May 31, 2017, 11:01:32 AM5/31/17
to G. Ann Campbell, SonarQube
Hi,
After login i want specific LDAP group (sonar_admin) to have admin role in SonarQube Dashboard.
Steps I Implemented-
1) I created sonar_admin group in LDAP (me and my team are part of this admin group)
2) I created new group in sonar dashboard with same name sonar_admin and added sonar_admin group as admin role.
3) Below is LDAP configuration in sonar.properties
sonar.log.level=DEBUG
sonar.security.realm=LDAP
sonar.authenticator.downcase=false
ldap.url=ldaps://dhp.net:636
ldap.bindDn=cn=hpcrs,ou=Applications,o=hp.com
ldap.bindPassword=***
ldap.group.request=(&(objectClass=hpGroup) (member={dn}))
ldap.group.idAttribute=cn
4) I am able to login to SonarQube dashboard with my LDAP credentials but i dont see admin role. I hope issue is with group synchronization from LDAP. I a trying to give admin access to sonar_admin group.
Output-
2017.05.31 10:07:46 DEBUG web[MeasureFilter] Measure filter executed | time=79ms | request={display=list|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|pageSize=20|sort=name|asc=true} | result=1 rows,
2017.05.31 10:07:46 DEBUG web[http] GET / | time=1230ms
2017.05.31 10:07:46 DEBUG web[http] GET /css/sonar.css?v=5.6.6 | time=22ms
2017.05.31 10:07:46 DEBUG web[http] GET /js/bundles/dashboard.js?v=5.6.6 | time=26ms
2017.05.31 10:07:46 DEBUG web[http] GET /js/bundles/widgets.js?v=5.6.6 | time=5ms
2017.05.31 10:07:46 DEBUG web[http] GET /js/bundles/sonar.js?v=5.6.6 | time=50ms
2017.05.31 10:07:47 DEBUG web[http] GET /js/bundles/vendor.js?v=5.6.6 | time=148ms
2017.05.31 10:07:47 DEBUG web[http] GET /js/bundles/main.js?v=5.6.6 | time=27ms
2017.05.31 10:07:48 DEBUG web[http] GET /fonts/sonar-5.2.woff? | time=2ms
2017.05.31 10:07:48 DEBUG web[MeasureFilter] Measure filter executed | time=45ms | request={display=none|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|filter=1|metrics=coverage,ncloc|fields=name,longName,qualifier|pageSize=30|page=1|sort=metric:ncloc|asc=false} | result=1 rows,
2017.05.31 10:07:48 DEBUG web[http] GET /measures/search_filter?filter=1&metrics=coverage,ncloc&fields=name,longName,qualifier&pageSize=30&page=1&sort=metric:ncloc&asc=false | time=213ms
2017.05.31 10:07:48 DEBUG web[http] GET /api/l10n/index?locale=en-US | time=259ms
2017.05.31 10:07:49 DEBUG web[http] GET /api/navigation/global | time=71ms
2017.05.31 10:07:51 DEBUG web[http] GET /sessions/new?return_to=%2F | time=83ms
2017.05.31 10:08:09 DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user b...@hp.com
2017.05.31 10:08:09 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[b...@hp.com], attributes=[uid, cn]}
2017.05.31 10:08:09 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://dhp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcrs,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.31 10:08:10 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[b...@hp.com], attributes=null}
2017.05.31 10:08:10 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://dhp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcrs,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.31 10:08:11 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://dhp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=b...@hp.com,ou=People,o=hp.com, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.31 10:08:11 DEBUG web[o.s.p.l.LdapGroupsProvider] Requesting groups for user b...@hp.com
2017.05.31 10:08:11 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=People,o=hp.com, scope=subtree, request=(&(objectClass=inetOrgPerson) (uid={0})), parameters=[b...@hp.com], attributes=[dn]}
2017.05.31 10:08:11 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://dhp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcrs,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.31 10:08:12 DEBUG web[o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=ou=Groups,o=hp.com, scope=subtree, request=(&(objectClass=hpGroup) (member={0})), parameters=[uid=b...@hp.com,ou=People,o=hp.com], attributes=[cn]}
2017.05.31 10:08:12 DEBUG web[o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://dhp.net:636, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=hpcrs,ou=Applications,o=hp.com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.05.31 10:08:12 DEBUG web[o.s.s.u.NewUserNotifier] User created: b...@hp.com. Notifying NewUserHandler handlers...
2017.05.31 10:08:13 DEBUG web[http] POST /sessions/login | time=3645ms
2017.05.31 10:08:13 DEBUG web[MeasureFilter] Measure filter executed | time=3ms | request={display=list|onFavourites=true|cols=metric:alert_statusnamedate|pageSize=50|sort=name|asc=true} | result=0 rows,
2017.05.31 10:08:13 DEBUG web[MeasureFilter] Measure filter executed | time=32ms | request={display=list|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|pageSize=20|sort=name|asc=true} | result=1 rows,
2017.05.31 10:08:13 DEBUG web[http] GET / | time=339ms
2017.05.31 10:08:14 DEBUG web[http] GET /api/l10n/index?locale=en-US&ts=2017-05-31T10%3A07%3A48-0400 | time=39ms
2017.05.31 10:08:14 DEBUG web[MeasureFilter] Measure filter executed | time=52ms | request={display=none|qualifiers=TRK|cols=metric:alert_statusnameversionmetric:nclocmetric:bugsmetric:vulnerabilitiesmetric:code_smellsdate|filter=1|metrics=coverage,ncloc|fields=name,longName,qualifier|pageSize=30|page=1|sort=metric:ncloc|asc=false} | result=1 rows,
2017.05.31 10:08:14 DEBUG web[http] GET /measures/search_filter?filter=1&metrics=coverage,ncloc&fields=name,longName,qualifier&pageSize=30&page=1&sort=metric:ncloc&asc=false | time=128ms
2017.05.31 10:08:14 DEBUG web[http] GET /api/navigation/global | time=54ms
Thank you.
--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/wXtF7cM67fo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/3a919c1e-1c3b-4d50-843f-e79a084bd0ce%40googlegroups.com.
G. Ann Campbell
May 31, 2017, 11:04:26 AM5/31/17
to Bindu Boinapalli, SonarQube
Hi Bindu,
With LDAP group synchronization, group names have to match between LDAP and SonarQube.
Ann
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/CAFGxpZhrM7B-SZhpXeNM1RTzMoGc%3DV5XpiuDv_8Ejouyzkvc4w%40mail.gmail.com.
Bindu Boinapalli
May 31, 2017, 11:06:32 AM5/31/17
to G. Ann Campbell, SonarQube
Hi,
Yes, both group names are same in LDAP and Sonar Dashboard.
Thank you.
G. Ann Campbell
May 31, 2017, 11:16:04 AM5/31/17
to Bindu Boinapalli, SonarQube
Hi,
To recap:
* The "sonar_admin" group exists in both SonarQube and LDAP
* You're a member of the LDAP sonar_admin group
* The ldap.group.* properties are configured, so group mapping is turned on
* You have granted the sonar_admin group administrative rights on the SonarQube side
* When you log in using LDAP credentials, you don't appear to have admin rights
Two more questions:
* Could you specify which permissions you've granted to the sonar_admin group
* How do you know you don't have admin rights? Is it because you don't see "Administration" in the top nav bar?
Ann
Bindu Boinapalli
May 31, 2017, 11:24:13 AM5/31/17
to G. Ann Campbell, SonarQube
Hi,
- Could you specify which permissions you've granted to the sonar_admin group
I logged in with default credentials admin and then
Administration -> Security -> User -> Added group here
- How do you know you don't have admin rights? Is it because you don't see "Administration" in the top nav bar?
Yes, i dont see Administration in nav bar.
Hi,
Thank you.
Bindu Boinapalli
May 31, 2017, 2:06:17 PM5/31/17
to G. Ann Campbell, SonarQube
Hi Ann,
I missed global permissions, am able to access now with admin privileges.
Thank for your time.
Hi,
Thank you.
G. Ann Campbell
May 31, 2017, 2:09:11 PM5/31/17
to Bindu Boinapalli, SonarQube
Thanks for checking back in. I'm glad it worked out for you.
Ann
Reply all
Reply to author
Forward
0 new messages