At Microsoft we have been working closely with SonarSource to improve the developer experience when using SonarQube server. An example is the new version (1.5) of the SonarQube LDAP Plugin. This version was developed in close collaboration with SonarSource, with the aim of improving the plugins integration when working with Active Directory. Following are some of the highlights of this release of the plugin.
Simplified Configuration
With this update we have greatly simplified the configuration experience in Microsoft Active Directory environments. Below is a comparison of the configuration required for the LDAP plugin in the sonar.properties file across different versions:
With Version 1.4 |
|
With Version 1.5 |
|
Note that the first version was error-prone as a SonarQube admin was not necessarily familiar with the LDAP protocol. It also raised some security concerns as the admin had to provide some sensitive information – such as the value for {login}.
Support for Single Sign On (SSO)
In Microsoft Active Directory environments, the LDAP plugin now supports Single Sign On (SSO), meaning that a user is automatically signed into the SonarQube server using their Active Directory credentials if the user is already signed into the computer with their domain credentials. The user details like name, email, domain etc. are all automatically obtained from the Active Directory server, as illustrated in the profile page screenshot below.
Note that, by default, SSO uses the NTLM protocol, but it is recommended to use Kerberos negotiation protocol for this. There are some pre-requisites for your computer before using SSO with negotiation enabled, more details can be found in the plugin documentation.
Support for adding Security Groups
In addition, users can now add security groups directly to the SonarQube server and assign permissions to them from SonarQube Servers Global Permission page. Groups can be added using the groupname@domain format.
Add security group from Group page on SonarQube Server
Security Group can be added in the form of groupname@domain
Next time the user logs in his group details are picked up automatically by the plugin
Security groups can be given permissions on SonarQube Server just like regular groups
Upgrading from previous version of LDAP Plugin
If you have an existing setup of LDAP Plugin in an Active Directory environment, you have the following two options when moving to the current version of the LDAP Plugin:
Option 1: Replace configuration and move to the new configuration (Recommended)
- Remove all the configuration you have set up for LDAP plugin in sonar.properties and replace with the new configuration
- Add domain groups in SonarQube server
- Specify global and project permissions for the domain group
- If any user has customizations in their profile, ask them to re-apply them after logging in with their domain credentials
Option 2: Keep using the old configuration and add the following to the sonar.properties file. Do note that functionality will be limited when using compatibility mode and features like Single Sign On are not supported.
# LDAP configuration
sonar.security.realm=LDAP
sonar.forceAuthentication=true
ldap.windows.compatibilityMode = true
Getting the plugin
SonarQube LDAP Plugin version 1.5 is available for SonarQube Server from version 5.2 and can be obtained from SonarQube Update Center or directly from the plugin documentation page. For more details, please visit SonarQube LDAP Plugin documentation.