I am using sonarqube 8.9.7 version.
I am trying to do authentication using LDAP. we have 2 groups in LDAP one group is admin and another one is normal user.
sonar.security.realm = LDAP
sonar.authenticator.downcase=true
ldap.url=ldap://<IP address>
ldap.bindDn=CN=BInd username ,CN=Users,DC=company name,DC=in
ldap.bindPassword = BindPassword
ldap.authentication=simple
above one is for bind this is working fine.
ldap.user.baseDn=cn=Users,dc=CompanyName,dc=in
ldap.user.request=(&(objectClass=user)(sAMAccountName={login})(|(memberOf=cn=Sonarusers,cn=Users,dc=companyName,dc=in)(memberOf=cn=SonarAdmin,cn=Users,dc=companyName,dc=in)))
ldap.user.realNameAttribute=cn
ldap.user.emailAttribute=mail
User access is also working fine giving access only to those groups.
ldap.group.baseDn=CN=Users,DC=companyName,DC=in
ldap.group.request=(&(objectClass=posixGroup)(member={uid}))
ldap.group.idAttribute=sAMAccountName
This is group access
for this I am not able to configure things.
I have 2 groups in LDAP sonarUsers and sonarAdmin and created same group in Sonarqube and give
permission for sonarAdmin.
please help me to sync the groups.
Thanks in Advance
I found the solution.
the mistake was from filter i was using wrong object class
Related
I've forgotten my password for the apache of biz admin account , I've asked for an email to be sent however I don't know which account is associated with the ofbiz server so I can't view the email which changed the password , does anyone have any tips?
Thanks
if you can access database, you can make the change directly on the UserLogin table.
Otherwise if you have a remote access to the server, you can use the ant or gradle target - depending of your OFBiz revision - to create another admin acount :
gradlew loadAdminUserLogin -PuserLoginId=myadmin
or
ant create-admin-user-login
Also a possible solution in such case is to use the (eg) lmtadmin if you have access to it. This is what I do on the demo when someone screws the main admin pwd
I'm using sonar 5.6 LTS with LDAP plugin 2.1.0.
The basic LDAP configuation is working fine. Sonar can connect to LDAP (in my case active directory). sonar.log:
Test LDAP connection on ldaps://ldap.mycompany:636: OK
My user mapping is
ldap.user.baseDn=OU=Users,OU=Accounts,DC=mycompany
ldap.user.request=(&(objectClass=user)(sAMAccountName={login}))
When I try to login with mycompany\tobi sonar logs:
DEBUG web[o.s.p.l.LdapUsersProvider] Requesting details for user mycompany\tobi
...
DEBUG web[o.s.p.l.LdapUsersProvider] User mycompany\tobi not found in <default>
This makes sense as sAMAccountName contains the value tobi and not mycompany\tobi. But when using just tobi as login, sonarqube does not connect to LDAP for authentication. I just get "Authentication failed" and the log file contains only
DEBUG web[http] POST /sonar/sessions/login | time=235ms
Any ideas why sonarqube does not always use LDAP? Thanks, Tobi
Thanks to Godin, I've finally found the answer:
The root cause is that I had a local account with the same login credentials before using LDAP. When removing users using the web interface, they are not removed permanently from the database. Instead, they are just deactivated.
I connected to the (postgresql) database and in the users table there were still all old local accounts. So I just changed the login column of all deprecated local accounts with
UPDATE users SET login='username_local' WHERE login='username'
As those accounts are deactivated, they cannot be used to login into sonarqube but should not be removed as some other tables might still have references to them.
I'm trying to configure LDAP authentication for teamcity but can't get it to work. I already configured some other services on this server to authenticate using LDAP and had no problems (so it's not fault of the DC).
Following describes my config file:
java.naming.provider.url=ldap://192.168.0.123:389/DC=server,DC=example,DC=com
java.naming.security.principal=ldap-user
java.naming.security.credentials=jE&4i.%$lpDr3#?
java.naming.security.authentication=simple
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=server,DC=example,DC=com))
teamcity.users.username=sAMAccountName
teamcity.auth.loginFilter=[^/\\\\#]+
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
When I set authentication to 'none' it works (but I can't restrict access to a specific group). I also tried using the full user name (incl. domain; i.e. DOMAIN\ldap-user) and also tried to use full DN instead, but it didn't change anything.
In log i see that the ldap server returns error code 49, which means that the binding failed. Like mentioned before I already configured other services on this server to authenticate with the same ldap server and the same binding user and had no problems.
Does anybody know how to solve this issue?
Thanks in advance!
This is my configuration and It working fine. The synchronization is allowed so information like email and name there are no available but enable the login with NT Id and Credentials
java.naming.provider.url=ldap://amer.xxxx.com:389/DC=amer,DC=xxxx,DC=com
java.naming.security.principal=CN=SRVAMR-xxx,OU=CMAPPS,OU=Service,OU=Accounts,DC=amer,DC=xxxx,DC=com
java.naming.security.credentials=Pf867955
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=AMR-GENOME-L,OU=GMA,OU=Security,OU=Groups,DC=amer,DC=xxxx,DC=com))teamcity.users.username=sAMAccountName
I Hope help you
The problem is as follows:
- I've got users defined on server A (domain controller),
- I've got SharePoint Farm installation on server B (fresh install)
After installation i have started the Profile Synchronization process, so i've got all the required users in sync. After i created a site i've assigned USER1 as its administrator / owner.
As i understand the USER1 user should have access to:
- site settings / permissions
- site content
Unfortunately i stuck with the situation where user can login on his my-domain\USER1 account, and he can access MOST of the pages. The rest:
example.net/ (http://example.net/default.aspx IS accessible)
example.net/test/ (http://example.net/test/SitePages/Home.aspx IS accessible)
example.net/test/SitePages/
causes re-authentication.
It is really easy to solve by adding users / group defined in PDC to local WSS_WPG group, but i don;t think this is the solution.
I will really appreciate your help !
The problem was in AD configuration.
Domain Users must have Bypass Traverse Checking enabled to avoid that issue.
For more information you can check following links:
http://technet.microsoft.com/en-us/library/cc787794%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc739389%28v=ws.10%29.aspx
www.windowsitpro.com/article/performance/how-to-use-the-bypass-traverse-checking-user-right
I setup a little server and have it authenticating with ldap.. is there a way to restrict which ldap user can login via ssh without adding an account to the opensuse box?
1 - Create a group on LDAP using YaST's User and Group Management, for instance "serveradmins".
This will create a entry on your LDAP server under the group OU.
2 - Add the allowed users to this group, also using YaST
3 - On the servers you want to restrict the access, edit the /etc/ldap.conf, making sure the following instructions are present (uncommented), mind changing the DC= parts to your configuration:
pam_groupdn cn=serveradmins,ou=group,dc=example,dc=com
pam_member_attribute member
Let me know if this worked well for you. I have this working on OpenSUSE and Ubuntu machines.