Support for Active Directory and Single Sign On (SSO) in the SonarQube LDAP Plugin

At Microsoft we have been working closely with SonarSource to improve the developer experience when using SonarQube server. An example is the new version (1.5) of the SonarQube LDAP Plugin. This version was developed in close collaboration with SonarSource, with the aim of improving the plugins integration when working with Active Directory. Following are some of the highlights of this release of the plugin.

Simplified Configuration

With this update we have greatly simplified the configuration experience in Microsoft Active Directory environments. Below is a comparison of the configuration required for the LDAP plugin in the sonar.properties file across different versions:

With Version 1.4
# LDAP configuration
 # General Configuration
 sonar.security.realm=LDAP
 sonar.security.savePassword=true
 ldap.url=ldap://myserver.mycompany.com
 ldap.windows.auth=false
 
 # User Configuration
 ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
 ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
 ldap.user.realNameAttribute=cn
 ldap.user.emailAttribute=mail
 
 # Group Configuration
 ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
 ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
With Version 1.5
# LDAP configuration
 sonar.security.realm=LDAP
 
 sonar.forceAuthentication=true

Note that the first version was error-prone as a SonarQube admin was not necessarily familiar with the LDAP protocol. It also raised some security concerns as the admin had to provide some sensitive information – such as the value for {login}.

Support for Single Sign On (SSO)

In Microsoft Active Directory environments, the LDAP plugin now supports Single Sign On (SSO), meaning that a user is automatically signed into the SonarQube server using their Active Directory credentials if the user is already signed into the computer with their domain credentials. The user details like name, email, domain etc. are all automatically obtained from the Active Directory server, as illustrated in the profile page screenshot below.

Note that, by default, SSO uses the NTLM protocol, but it is recommended to use Kerberos negotiation protocol for this. There are some pre-requisites for your computer before using SSO with negotiation enabled, more details can be found in the plugin documentation.

Support for adding Security Groups

In addition, users can now add security groups directly to the SonarQube server and assign permissions to them from SonarQube Servers Global Permission page. Groups can be added using the groupname@domain format.

Add security group from Group page on SonarQube Server

Security Group can be added in the form of groupname@domain

Next time the user logs in his group details are picked up automatically by the plugin

Security groups can be given permissions on SonarQube Server just like regular groups

Upgrading from previous version of LDAP Plugin

If you have an existing setup of LDAP Plugin in an Active Directory environment, you have the following two options when moving to the current version of the LDAP Plugin:

Option 1: Replace configuration and move to the new configuration (Recommended)

  1. Remove all the configuration you have set up for LDAP plugin in sonar.properties and replace with the new configuration
  2. Add domain groups in SonarQube server
  3. Specify global and project permissions for the domain group
  4. If any user has customizations in their profile, ask them to re-apply them after logging in with their domain credentials

Option 2: Keep using the old configuration and add the following to the sonar.properties file. Do note that functionality will be limited when using compatibility mode and features like Single Sign On are not supported.

# LDAP configuration
 sonar.security.realm=LDAP
 sonar.forceAuthentication=true
 
 ldap.windows.compatibilityMode = true

Getting the plugin

SonarQube LDAP Plugin version 1.5 is available for SonarQube Server from version 5.2 and can be obtained from SonarQube Update Center or directly from the plugin documentation page. For more details, please visit SonarQube LDAP Plugin documentation.

Related Posts

Quickstart: Analyzing .NET projects with SonarQube, MSBuild or Visual Studio Online and third-party analyzers (StyleCop, Resharper)

Build Tasks for SonarQube Analysis

The Maven build task now simplifies SonarQube Analysis

19