Quantcast

Help configuring LDAP via AD

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help configuring LDAP via AD

Jorge Costa
Hi,

Need some help setting autentication to work via Acitve Directory. Have some settings from IM, looking like this

OU=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com

my sonar configuration looks like this:

sonar.security.realm: LDAP
ldap.url:ldap://server.com:389
ldap.bindDn:OU=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com
ldap.group.baseDn:Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com
ldap.user.baseDn:OU=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com
#ldap.bindPassword: secret
#ldap.realm: company
#ldap.authentication: simple

i get the sonar log looking like this:

2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm  LdapContextFactory{url=ldap://server.com:389, authentication=simple, factory=com.sun.jndi.ldap.LdapCtxFactory, bindDn=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com, realm=null}
2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm  LdapUserMapping{baseDn=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com, objectClass=inetOrgPerson, loginAttribute=uid, realNameAttribute=cn, emailAttribute=mail}
2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm  LdapGroupMapping{Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com, objectClass=groupOfUniqueNames, idAttribute=cn, memberAttribute=uniqueMember}
2012.06.06 23:10:50 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection: OK
2012.06.06 23:10:50 INFO  org.sonar.INFO  Security realm started

When trying to logging with my user name from windows im not getting anything.

I'm using sonar 3.0.1 with LDAP 1.1.1 plugin.

Is there any way i can debug what is going on? Since there is no logging to sonar log when trying to authenticate

Thanks in advance

Jorge Costa




Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Paul Willworth
There are some other specific config settings you need to use with AD.

ldap.user.loginAttribute: sAMAccountName
ldap.user.objectClass: user
ldap.group.objectClass: group
ldap.group.memberAttribute: member

Paul Willworth
Build Engineer
Portland General Electric

-----Original Message-----
From: jmecosta [mailto:[hidden email]]
Sent: Wednesday, June 06, 2012 1:23 PM
To: [hidden email]
Subject: [sonar-user] Help configuring LDAP via AD

Hi,

Need some help setting autentication to work via Acitve Directory. Have some settings from IM, looking like this

OU=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com

my sonar configuration looks like this:

sonar.security.realm: LDAP
ldap.url:ldap://server.com:389
ldap.bindDn:OU=Users,OU=City,OU="Company
Corporation",DC=companyad,DC=company,DC=com
ldap.group.baseDn:Users,OU=City,OU="Company
Corporation",DC=companyad,DC=company,DC=com
ldap.user.baseDn:OU=Users,OU=City,OU="Company
Corporation",DC=companyad,DC=company,DC=com
#ldap.bindPassword: secret
#ldap.realm: company
#ldap.authentication: simple

i get the sonar log looking like this:

2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm LdapContextFactory{url=ldap://server.com:389, authentication=simple, factory=com.sun.jndi.ldap.LdapCtxFactory, bindDn=Users,OU=City,OU="Company Corporation",DC=companyad,DC=company,DC=com, realm=null}
2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm LdapUserMapping{baseDn=Users,OU=City,OU="Company
Corporation",DC=companyad,DC=company,DC=com, objectClass=inetOrgPerson, loginAttribute=uid, realNameAttribute=cn, emailAttribute=mail}
2012.06.06 23:10:49 INFO  o.s.p.ldap.LdapRealm LdapGroupMapping{Users,OU=City,OU="Company
Corporation",DC=companyad,DC=company,DC=com, objectClass=groupOfUniqueNames, idAttribute=cn, memberAttribute=uniqueMember}
2012.06.06 23:10:50 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection:
OK
2012.06.06 23:10:50 INFO  org.sonar.INFO  Security realm started

When trying to logging with my user name from windows im not getting anything.

I'm using sonar 3.0.1 with LDAP 1.1.1 plugin.

Is there any way i can debug what is going on? Since there is no logging to sonar log when trying to authenticate

Thanks in advance

Jorge Costa






--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
Tried those with no luck,

i did copy past from what you said. so not sure if need to ask IM for these specific settings?

thanks

JC
Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Evgeny Mandrikov
Hi,

First of all I believe that would be better to ask someone who knows details of your AD to be able to succesfully connect Sonar to it.

For troubleshooting you can try to enable debug log for Sonar LDAP Plugin as shown on plugin page : http://docs.codehaus.org/display/SONAR/LDAP+Plugin#LDAPPlugin-Troubleshooting

On Thu, Jun 7, 2012 at 2:23 PM, jmecosta <[hidden email]> wrote:
Tried those with no luck,

i did copy past from what you said. so not sure if need to ask IM for these
specific settings?

thanks

JC

--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999369.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Best regards,
Evgeny Mandrikov aka Godin <http://godin.net.ru>
http://twitter.com/_godin_
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
This post was updated on .
Hi thanks for you reply,

And again sorry for replying to the other thread. So back to the issue: Im getting this error message:

2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  Requesting details for user jocs
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  Requesting details for user jocs
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapSearch  Search: LdapSearch{baseDn=OU=Users,OU=Espoo,OU=xxxxx Corporation,DC=xxxxxad,DC=xxxxx,DC=com, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[jocs], attributes=[mail, cn]}
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapSearch  Search: LdapSearch{baseDn=OU=Users,OU=Espoo,OU=xxxxx Corporation,DC=xxxxxad,DC=xxxxx,DC=com, scope=subtree, request=(&(objectClass=user)(sAMAccountName={0})), parameters=[jocs], attributes=[mail, cn]}
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapContextFactory  Initializing LDAP context {java.naming.provider.url=ldap://ad-.xxxxxad.xxxxx.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.sasl.realm=xxxxxad.xxxxx.com, java.naming.referral=follow}
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapContextFactory  Initializing LDAP context {java.naming.provider.url=ldap://ad-.xxxxxad.xxxxx.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.sasl.realm=xxxxxad.xxxxx.com, java.naming.referral=follow}
2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) ~[na:1.7.0_04]
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source) ~[na:1.7.0_04]
        at javax.naming.directory.InitialDirContext.search(Unknown Source) ~[na:1.7.0_04]
        at org.sonar.plugins.ldap.LdapSearch.find(LdapSearch.java:132) ~[na:na]

Im just showing this here since i saw that jenkins was having a similiar issue: https://issues.jenkins-ci.org/browse/JENKINS-12619

So not sure if could be related. If not then please ignore it. Ive also send this log to the guys that manage the AD so hopefully they will get back to me.

Please let me know if there is something obvious with this.

Thanks a lot

My settings

sonar.security.realm: LDAP
ldap.url:ldap://ad-.xxxxxxad.xxxxxx.com:389
ldap.bindDn:OU=Users,OU=xxxxx,OU="xxxxx Corporation",DC=xxxxxxad,DC=xxxxxx,DC=com
ldap.group.baseDn:OU=Users,OU=xxxx,OU=xxxxxx Corporation,DC=xxxxxad,DC=xxxxxx,DC=com
ldap.group.request: (&(objectClass=group)(member={dn}))
ldap.user.baseDn:OU=Users,OU=xxxxx,OU=xxxxxxx Corporation,DC=xxxxxxad,DC=xxxxxx,DC=com
ldap.user.request: (&(objectClass=user)(sAMAccountName={login}))

JC


Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Evgeny Mandrikov
Hi,

This is a misconfiguration on your side. And from my point of view error message is pretty clear - "In order to perform this operation a successful bind must be completed on the connection". I.e. your LDAP server doesn't allow to perform search anonymously. See configuration options "ldap.bindDn" and "ldap.bindPassword" ( http://docs.codehaus.org/display/SONAR/LDAP+Plugin ).

Hope this will help.

On Tue, Jun 12, 2012 at 5:56 PM, jmecosta <[hidden email]> wrote:

Hi thanks for you reply,

And again sorry for replying to the other thread. So back to the issue: Im
getting this error message:

<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  Requesting details for
user jocs
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  Requesting details for
user jocs
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapSearch  Search:
LdapSearch{baseDn=OU=Users,OU=Espoo,OU=xxxxx
Corporation,DC=xxxxxad,DC=xxxxx,DC=com, scope=subtree,
request=(&(objectClass=user)(sAMAccountName={0})), parameters=[jocs],
attributes=[mail, cn]}
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapSearch  Search:
LdapSearch{baseDn=OU=Users,OU=Espoo,OU=xxxxx
Corporation,DC=xxxxxad,DC=xxxxx,DC=com, scope=subtree,
request=(&(objectClass=user)(sAMAccountName={0})), parameters=[jocs],
attributes=[mail, cn]}
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapContextFactory  Initializing LDAP
context {java.naming.provider.url=ldap://ad-.xxxxxad.xxxxx.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authentication=simple,
java.naming.security.sasl.realm=xxxxxad.xxxxx.com,
java.naming.referral=follow}
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapContextFactory  Initializing LDAP
context {java.naming.provider.url=ldap://ad-.xxxxxad.xxxxx.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authentication=simple,
java.naming.security.sasl.realm=xxxxxad.xxxxx.com,
java.naming.referral=follow}
<a href="tel:2012.06.12%2014" value="+12012061214">2012.06.12 14:51:56 DEBUG o.s.p.l.LdapUsersProvider  [LDAP: error code 1 -
000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this
operation a successful bind must be completed on the connection., data 0,
v1db1
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.7.0_04]
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
~[na:1.7.0_04]
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
~[na:1.7.0_04]
       at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) ~[na:1.7.0_04]
       at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) ~[na:1.7.0_04]
       at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) ~[na:1.7.0_04]
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
~[na:1.7.0_04]
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown
Source) ~[na:1.7.0_04]
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown
Source) ~[na:1.7.0_04]
       at javax.naming.directory.InitialDirContext.search(Unknown Source)
~[na:1.7.0_04]
       at org.sonar.plugins.ldap.LdapSearch.find(LdapSearch.java:132) ~[na:na]

Im just showing this here since i saw that jenkins was having a similiar
issue: https://issues.jenkins-ci.org/browse/JENKINS-12619

So not sure if could be related. If not then please ignore it. Ive also send
this log to the guys that manage the AD so hopefully they will get back to
me.

Please let me know if there is something obvious with this.

Thanks a lot

JC





--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999597.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Best regards,
Evgeny Mandrikov aka Godin <http://godin.net.ru>
http://twitter.com/_godin_
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
Hi Evgeny,

So lets see some facts.

1. Seems to be a problem with the configuration from my side.
2. I dont understand much about ldap or ad.
3. Our infrastructure team is not providing the information with the haste i want.

So now, i tried a few things and really would appreciate if you could read this and help me with setting up the server.

Using Active Directory Explorer (http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx), i see loads of information without using any login. So seems that im able to use our AD with Anonymous binding and read information.

From AD explorer got the following tree:

1. Server: ldap.xxxxx.com
    2. DC=xxxxxad,DC=xxxxx,DC=com
        3.0. CN=Builtin
        3.1. CN=Computers
        ....
        3.n. OU=xxxxx Corporation
               4.0. OU=Albi
               4.1. OU=Lx
               ...
               4.n. OU=MyLocation
                     5.0. OU=Computers
                     5.1. OU=Contacts
                     ...
                     5.n. OU=Users
                           6.0. CN=Costa Jorge
                           ....

Clicking on my name i can see properities like mail, user name, c and all the default values in the properties of the plugins.

So in the configuration for the plugin if setting  1, 2, 3.n, 4.n, 5.n, 6.0 from the tree:
(trying with no group sync, and anonymous bind)

sonar.security.realm: LDAP
ldap.url:ldap://xxxx.xxxx.com:389
ldap.user.baseDn:OU=XXXXX Corporation,OU=MyLocation,OU=Users,DC=xxxxxad,DC=xxxxx,DC=com
ldap.group.request: (&(objectClass=group)(member={dn}))
ldap.user.request: (&(objectClass=user)(sAMAccountName={login}))

i should get this working? Also notice that the plugin was not tests with AD with anonymous. Another question is what is the difference btw anonymous and simple. Since in this setup both seem to be used.

With this configuration i get the errors above, so no binding.

Hope this helps understanding a bit my scenario. And hopefully you can help me with this one.

Thanks

JC



Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Evgeny Mandrikov
Hi,

Based on facts I would suggest to forget about integration with LDAP :)

More seriously - lets try following configuration assuming that you use plugin version 1.2-SNAPSHOT (which seems to be the case) :
  • sonar.security.realm: LDAP
  • ldap.url: ldap://xxxx.xxxx.com:389
  • ldap.authentication: DIGEST-MD5
  • ldap.user.baseDn: DC=xxxxxad,DC=xxxxx,DC=com
  • ldap.user.request: (&(objectClass=user)(sAMAccountName={login}))
  • ldap.group.baseDn: DC=xxxxxad,DC=xxxxx,DC=com
  • ldap.group.request: (&(objectClass=group)(member={dn}))

Anonymous means that LDAP allows to retrieve records without being authenticated, whereas "simple" is an authentication method. Should be noted that in case of anonymous access to LDAP, plugin will perform searches anonymously, but will try to authenticate user, when found.


On Wed, Jun 13, 2012 at 12:29 AM, jmecosta <[hidden email]> wrote:
Hi Evgeny,

So lets see some facts.

1. Seems to be a problem with the configuration from my side.
2. I dont understand much about ldap or ad.
3. Our infrastructure team is not providing the information with the haste i
want.

So now, i tried a few things and really would appreciate if you could read
this and help me with setting up the server.

Using Active Directory Explorer
(http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx), i see loads
of information without using any login. So seems that im able to use our AD
with Anonymous binding and read information.

From AD explorer got the following tree:

1. Server: ldap.xxxxx.com
   2. DC=xxxxxad,DC=xxxxx,DC=com
       3.0. CN=Builtin
       3.1. CN=Computers
       ....
       3.n. OU=xxxxx Corporation
              4.0. OU=Albi
              4.1. OU=Lx
              ...
              4.n. OU=MyLocation
                    5.0. OU=Computers
                    5.1. OU=Contacts
                    ...
                    5.n. OU=Users
                          6.0. CN=Costa Jorge
                          ....

Clicking on my name i can see properities like mail, user name, c and all
the default values in the properties of the plugins.

So in the configuration for the plugin if setting  1, 2, 3.n, 4.n, 5.n, 6.0
from the tree:
(trying with no group sync, and anonymous bind)

sonar.security.realm: LDAP
ldap.url:ldap://xxxx.xxxx.com:389
ldap.user.baseDn:OU=XXXXX
Corporation,OU=MyLocation,OU=Users,DC=xxxxxad,DC=xxxxx,DC=com
ldap.group.request: (&(objectClass=group)(member={dn}))
ldap.user.request: (&(objectClass=user)(sAMAccountName={login}))

i should get this working? Also notice that the plugin was not tests with AD
with anonymous. Another question is what is the difference btw anonymous and
simple. Since in this setup both seem to be used.

With this configuration i get the errors above, so no binding.

Hope this helps understanding a bit my scenario. And hopefully you can help
me with this one.

Thanks

JC





--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999612.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Best regards,
Evgeny Mandrikov aka Godin <http://godin.net.ru>
http://twitter.com/_godin_
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
Hi,

Sometimes i think the same way, but the LDAP plugin will indeed provide a great way of managing users in our company so definitely worth the time to configure it. And hopefully this will also help other accomplish the same.

But back to your suggestion i've got:

org.sonar.api.utils.SonarException: When using SASL - property ldap.bindDn is required
        at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:146) ~[na:na]

so i've added the:
ldap.bindDn: DC=xxxxxad,DC=xxxxx,DC=com

and got:
2012.06.14 18:35:06 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection: FAIL
2012.06.14 18:35:06 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection: FAIL
2012.06.14 18:35:06 ERROR o.s.s.p.Platform  Unable to open LDAP connection
org.sonar.api.utils.SonarException: Unable to open LDAP connection
        at org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:153) ~[na:na]
        at org.sonar.plugins.ldap.LdapRealm.init(LdapRealm.java:73) ~[na:na]
...
Caused by: javax.naming.AuthenticationException: DIGEST-MD5
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) ~[na:1.7.0_04]

Then just in case tried with all the other auth methods with the same results, except for simple that gave initial LDAP OK. But then when logging in sonar got the same error of the bind needs to be done before the connection.

But thank you for your help, just hope you do have more suggestion for me to try.

JC
Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Evgeny Mandrikov
Sorry, but I can't help you more. And now I really believe that you should get in touch with an administrator of your LDAP server. 

On Thu, Jun 14, 2012 at 9:50 PM, jmecosta <[hidden email]> wrote:
Hi,

Sometimes i think the same way, but the LDAP plugin will indeed provide a
great way of managing users in our company so definitely worth the time to
configure it. And hopefully this will also help other accomplish the same.

But back to your suggestion i've got:

org.sonar.api.utils.SonarException: When using SASL - property ldap.bindDn
is required
       at
org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:146)
~[na:na]

so i've added the:
ldap.bindDn: DC=xxxxxad,DC=xxxxx,DC=com

and got:
<a href="tel:2012.06.14%2018" value="+12012061418">2012.06.14 18:35:06 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection:
FAIL
<a href="tel:2012.06.14%2018" value="+12012061418">2012.06.14 18:35:06 INFO  o.s.p.l.LdapContextFactory  Test LDAP connection:
FAIL
<a href="tel:2012.06.14%2018" value="+12012061418">2012.06.14 18:35:06 ERROR o.s.s.p.Platform  Unable to open LDAP connection
org.sonar.api.utils.SonarException: Unable to open LDAP connection
       at
org.sonar.plugins.ldap.LdapContextFactory.testConnection(LdapContextFactory.java:153)
~[na:na]
       at org.sonar.plugins.ldap.LdapRealm.init(LdapRealm.java:73) ~[na:na]
...
Caused by: javax.naming.AuthenticationException: DIGEST-MD5
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) ~[na:1.7.0_04]

Then just in case tried with all the other auth methods with the same
results, except for simple that gave initial LDAP OK. But then when logging
in sonar got the same error of the bind needs to be done before the
connection.

But thank you for your help, just hope you do have more suggestion for me to
try.

JC


--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999739.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Best regards,
Evgeny Mandrikov aka Godin <http://godin.net.ru>
http://twitter.com/_godin_
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
ok no problem, thanks for the help.

i will post the solution in here if they find it.

JC
Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jeff

If your configuration is similiar to what you originally posted the bindDN is wrong.  It must be set to a user object and the correct bindPassword must be set.   What you had originally was the DN of the user container, which typically won't be able to login.

Start with your own user info and if that works, get your admims to create you a service account to use in production.

On Jun 15, 2012 12:07 AM, "jmecosta" <[hidden email]> wrote:
ok no problem, thanks for the help.

i will post the solution in here if they find it.

JC

--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999762.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
Hi Jeff,

Changing the bind user and password to my credentials did the trick. I will proceed in requesting a user name and password from the administrators for the role.

so the final solution was OU=Users,OU=City,OU=Company Corporation,DC=companyad,DC=company,DC=com which is in opposite order to what AD explorer presents just for reference.

Just one final thing, for the groups binding. In the AD explorer the attribute seems to be memberOf, if i use the (&(objectClass=group)(member={memberOf})) i see that those groups are reported in the sonar.log, however after logging i cant see the groups in sonar. Is the usage correct?

But this is secondary just for curiosity.

Really appreciate your help. Nice to have finally this sorted.

Jorge Costa
Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jeff
Now that I'm back to work, here are our functioning LDAP settings (slightly modified/in case you care):
sonar.security.realm=LDAP
ldap.url=ldap://mycompany.int
ldap.bindDn=CN=SonarSvc,OU=Service Accounts,OU=Corp,DC=mycompany,DC=int
[hidden email]
ldap.user.baseDn=DC=mycompany,DC=int
ldap.user.objectClass=user
ldap.user.loginAttribute=sAMAccountName
ldap.group.baseDn=DC=mycompany,DC=int
ldap.group.objectClass=group
ldap.group.memberAttribute=member
On to your other question, Sonar does not create groups automatically in it's database like it does users.  You have to manually create the groups in Sonar that map to groups in LDAP/AD.
 
For example.  If in LDAP/AD you have a group called "CN=Developers,OU=Groups,..." you must manually create a group in SONAR called Developers.  At that point you can assign rights to the "Developer" group in SONAR. 
 
When you log into SONAR with an LDAP user, it will read the specified 'ldap.group.memberAttribute' to see if any of those groups exist in the SONAR database and if so it will apply the SONAR rights you assigned.  If the group doesn't exist in SONAR, it ignores it for that user (at least that's how I understand it).
 
I'm not sure at what point LDAP is queried for the group objects (or why) since reading the 'ldap.group.memberAttribute' values would give SONAR the list of valid LDAP group objects to look for in it's local database.
 
I also know that some of the automatic groups that AD creates (such as 'CN=Domain Users') does not work with the LDAP integration.  I think it has to do with the object class type but I'm not sure.  All I know is that the LDAP query that SONAR performs can't find that group.
 
-Jeff
 
On Fri, Jun 15, 2012 at 12:53 PM, jmecosta <[hidden email]> wrote:
Hi Jeff,

Changing the bind user and password to my credentials did the trick. I will
proceed in requesting a user name and password from the administrators for
the role.

so the final solution was OU=Users,OU=City,OU=Company
Corporation,DC=companyad,DC=company,DC=com which is in opposite order to
what AD explorer presents just for reference.

Just one final thing, for the groups binding. In the AD explorer the
attribute seems to be memberOf, if i use the
(&(objectClass=group)(member={memberOf})) i see that those groups are
reported in the sonar.log, however after logging i cant see the groups in
sonar. Is the usage correct?

But this is secondary just for curiosity.

Really appreciate your help. Nice to have finally this sorted.

Jorge Costa


--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p4999807.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Jeff Vincent
[hidden email]
See my LinkedIn profile at:
http://www.linkedin.com/in/rjeffreyvincent
I ♥ DropBox !! 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
This post was updated on .
Hi Jeff and all,

I coming back to this since i have another question about groups and security. So i had to remove group synchronization since every time a user logged in, the groups that were setup to that user were removed. So now im managing the groups myself using the admin account.

Im trying with this to get users into the developers tabs, and into the Project Roles (Developers). I've created Developer group and Developers group and added users to those ones but cannot see any of those in the tab (see picture in attachment).

Ive seen http://docs.codehaus.org/display/SONAR/Security but there is no mention to this.

Thanks

JC

 
Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

David Racodon-2
Hi,

What are you exactly trying to achieve?
Because this "Developers" tab comes with the Developer Cockpit Plugin.
So, first, do you have a valid license for this plug-in?

Thank you

Regards,

David RACODON | SonarSource
Senior Consultant



On 25 June 2012 14:39, jmecosta <[hidden email]> wrote:
Hi Jeff and all,

I coming back to this since i have another question about groups and
security. So i had to remove group synchronization since every time a user
logged in the groups that were setup to that user were removed. So now im
managing the groups myself using the admin account.

Im trying with this to get users into the developers tabs, and into the
Project Roles (Developers). I've created Developer group and Developers
group and added users to those ones but cannot see any of those in the tab
(see picture in attachment).

Ive seen http://docs.codehaus.org/display/SONAR/Security but there is no
mention to this.

Thanks

JC http://sonar.15.n6.nabble.com/file/n5000224/nodevelopers.png



--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p5000224.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
Ah,

I forgot i had this plugin installed. So forget the question, and thanks for the quick reply.

BR,

JC

Best Regards
Jorge Costa
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Evgeny Mandrikov
Hi jmecosta,

May I ask you to start new thread for future questions in order to not mix all problems?

On Mon, Jun 25, 2012 at 7:08 PM, jmecosta <[hidden email]> wrote:
Ah,

I forgot i had this plugin installed. So forget the question, and thanks for
the quick reply.

BR,

JC



--
View this message in context: http://sonar.15.n6.nabble.com/Help-configuring-LDAP-via-AD-tp4999345p5000230.html
Sent from the Sonar user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

   http://xircles.codehaus.org/manage_email





--
Best regards,
Evgeny Mandrikov aka Godin <http://godin.net.ru>
http://twitter.com/_godin_
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help configuring LDAP via AD

Jorge Costa
yes of course, i just assumed my question was somehow related with the ldap plugin.

JC
Best Regards
Jorge Costa
Loading...