SonarQube 5.6 LDAP (FreeIPA) authenticated users have no groups

放肆的年华 提交于 2019-12-25 16:59:10

问题


I saw some posts on stackoverflow, like this one and this, but problem still exists. I updated sonarqube from 5.3 to 5.6. Here's example of my config:

sonar.security.realm=LDAP
sonar.security.savePassword=false
sonar.security.localUsers=admin
ldap.authentication=simple
ldap.url=ldap://ipa.company.com
ldap.bindDn=uid=ldap_search,cn=users,cn=accounts,dc=company,dc=com
ldap.bindPassword=*************

ldap.user.baseDn=cn=users,cn=accounts,dc=company,dc=com
ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail

ldap.group.baseDn=cn=groups,cn=accounts,dc=company,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
ldap.group.idAttribute=cn

The problem is in authentication. If i create local user, then i can't authenticate using same LDAP (FreeIPA) account, according to this docs (Local users block). If i authenticate first time with FreeIPA account i see newly created sonar user, but it has no groups (sonar-users for example, but he is actually a member of sonar-users in FreeIPA groups)

Here's example of test account in sonarqube - http://joxi.ru/zAN46EXcb9gem9, and test account in FreeIPA - http://joxi.ru/VrwnzgDcBeGxAX. Even, when i login with admin and add groups to test user, they disappear after next login.

Here's example from mysql sonar.users db:

| id | login                    | updated_at    | external_identity        | external_identity_provider | user_local |
| 32 | test                     | 1494580874688 | test                     | sonarqube                  |          0 |

Please help me to find a solution.


回答1:


After a couple of weeks i finally found right solution! I realized that problem was in group synchronization, so right config for group sync must looks like next one for your FreeIPA configuration:

ldap.group.baseDn=cn=groups,cn=compat,dc=company,dc=com
ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
ldap.group.idAttribute=cn

Difference is in cn=groups,cn=compat,dc=company,dc=com. You can't use memberUid filter with cn=accounts.



来源:https://stackoverflow.com/questions/43934559/sonarqube-5-6-ldap-freeipa-authenticated-users-have-no-groups

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!