Re: Help with LDAP group configuration

1,613 views
Skip to first unread message

Julien Lancelot

unread,
Mar 1, 2017, 4:24:10 AM3/1/17
to ttol...@gmail.com, SonarQube
Hi,

As you've posted a very similar thread here, I'll answer only to this one which may be the root cause of this other issue.

Could you please send us : 
  • SonarQube version
  • LDAP version
  • Server's log  (as there's no error in the log you've sent)
Thanks,
Regards

On Wed, 1 Mar 2017 at 07:39 <ttol...@gmail.com> wrote:
I am having difficulties to find the correct configuration so that group membership will be synchronized from LDAP

I had this in my config, and it doesn't work, although authentication is succesful:

sonar.security.realm=LDAP
sonar.security.savePassword=true

# Configure servers
ldap.url=ldap://hkdc.hk.myOrgName.com
ldap.user.baseDn=cn=Users,dc=hk,dc=myOrgName,dc=com
ldap.user.request=(&(objectClass=user)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

ldap.group.baseDn=cn=Users,dc=hk,dc=myOrgName,dc=com
ldap.group.request=(&(objectClass=group)(memberUid={member}))

the error message is:
2017.03.01 11:37:21 DEBUG web[AVqH8EcvRVkAXn6NAAAE][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldap://dc01.hk.myOrgName.com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.01 11:37:21 DEBUG web[AVqH8EcvRVkAXn6NAAAE][o.s.s.u.NewUserNotifier] User created: teleung. Notifying NewUserHandler handlers...
2017.03.01 11:37:21 DEBUG web[AVqH8EcvRVkAXn6NAAAE][o.s.s.a.UserIdentityAuthenticator] List of groups returned by the identity provider '[]'

It seems no matter what I tried, the identity provider always return an empty list. However when I do a ldapsearch, I can get a list of groups

ldapsearch -x "uid=teleung" memberOf
# extended LDIF
#
# LDAPv3
# base <DC=hk,DC=myOrgName,DC=com> (default) with scope subtree
# filter: uid=teleung
# requesting: memberOf
#

# Terry Leung, Users, hk.myOrgName
dn: CN=Terry Leung,CN=Users,DC=hk,DC=
myOrgName,DC=com
memberOf: CN=Developers,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=QA,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=Bamboo Admin,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=DevOps,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=devops-admin,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=jira-users,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=jira-administrators,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=confluence-administrators,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=bamboo-administrators,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=bitbucket-administrators,CN=Users,DC=hk,DC=myOrgName,DC=com
memberOf: CN=sonar-administrators,CN=Users,DC=hk,DC=myOrgName,DC=com


How do I go about troubleshooting the config of LDAP Group in Sonar and any pointer what is the correct config to use ? -Thanks.

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/ab5eb70a-4fc3-4d27-be67-9e552a0af6b6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Julien LANCELOT | SonarSource

jjsam...@gmail.com

unread,
Mar 6, 2017, 1:10:38 PM3/6/17
to SonarQube, ttol...@gmail.com
Hello,

I have a very similar issue.  I have tried many combinations with no luck.

I am also wondering if there is any more information about troubleshooting this issue?  I suppose I could use more detail on how this lookup is performed exactly so I can understand what values will work in my environment.  

We are using the following in an Active Directory environment:
SonarQube Version 6.1
LDAP 2.1.0.507


I don't see any errors, but the log doesn't show a "List of groups returned by the identity provider" and removes the user from the groups created within SonarQube upon login, even though the groups defined in SonarQube match an ldapsearch of the same.

Here is the config:
# LDAP configuration
sonar.security.realm=LDAP
sonar.authenticator.downcase=true
ldap.url=ldaps://ldapServer:389
ldap.bindDn=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM
ldap.bindPassword=password

# User Configuration
ldap.user.baseDn=OU=People,OU=Internal,DC=EXT,DC=COM
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))

# Group Configuration
ldap.group.baseDn=OU=Groups,OU=Internal,DC=EXT,DC=COM
ldap.group.request=(&(objectClass=group)(member={cn}))
ldap.group.idAttribute=sAMAccountName




And from the Log:
2017.03.06 12:22:01 INFO  web[][org.sonar.INFO] Security realm: LDAP
2017.03.06 12:22:01 INFO  web[][o.s.p.l.LdapSettingsManager] User mapping: LdapUserMapping{baseDn=OU=People,OU=Internal,DC=EXT,DC=COM, request=(&(objectClass=user)(sAMAccountName={0})), realNameAttribute=cn, emailAttribute=mail}
2017.03.06 12:22:01 INFO  web[][o.s.p.l.LdapSettingsManager] Group mapping: LdapGroupMapping{baseDn=OU=Groups,OU=Internal,DC=EXT,DC=COM, idAttribute=sAMAccountName, requiredUserAttributes=[cn], request=(&(objectClass=group)(member={0}))}
2017.03.06 12:22:01 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:02 INFO  web[][o.s.p.l.LdapContextFactory] Test LDAP connection on ldaps://ldapServer:389: OK

2017.03.06 12:22:55 DEBUG web[][o.s.p.l.LdapUsersProvider] Requesting details for user userName
2017.03.06 12:22:55 DEBUG web[][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=People,OU=Internal,DC=EXT,DC=COM, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[userName], attributes=[mail, cn]}
2017.03.06 12:22:55 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:55 DEBUG web[][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=People,OU=Internal,DC=EXT,DC=COM, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[userName], attributes=null}
2017.03.06 12:22:55 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=userName,OU=People,OU=Internal,DC=EXT,DC=COM, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapGroupsProvider] Requesting groups for user userName
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=People,OU=Internal,DC=EXT,DC=COM, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[userName], attributes=[cn]}
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapSearch] Search: LdapSearch{baseDn=OU=Groups,OU=Internal,DC=EXT,DC=COM, scope=subtree, request=(&(objectClass=group)(member={0})), parameters=[userName], attributes=[sAMAccountName]}
2017.03.06 12:22:56 DEBUG web[][o.s.p.l.LdapContextFactory] Initializing LDAP context {java.naming.provider.url=ldaps://ldapServer:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=CN=bindDn,OU=People,OU=Internal,DC=EXT,DC=COM, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.referral=follow}
2017.03.06 12:22:56 DEBUG web[][o.s.s.u.NewUserNotifier] User created: userName. Notifying NewUserHandler handlers...
2017.03.06 12:22:56 DEBUG web[][o.s.s.a.UserIdentityAuthenticator] List of groups returned by the identity provider '[]'



Any additional information would be helpful

Thanks,
James

nicolas...@sonarsource.com

unread,
Mar 15, 2017, 4:04:37 AM3/15/17
to SonarQube, ttol...@gmail.com, jjsam...@gmail.com
Hi James,

even though the groups defined in SonarQube match an ldapsearch of the same.

You probably want to provide ldapsearch executed command together with output, for it to be compared with your SonarQube configuration.

For now all I can say is that this configuration: ldap.group.request=(&(objectClass=group)(member={cn})) , differs from the LDAP Plugin documented example (&(objectClass=group)(member={dn})) . Now of course it may genuinely need to be different in your deployment, but it seems worth to try different values there and see if it makes a difference.

Best regards,
Nicolas
Reply all
Reply to author
Forward
0 new messages