SonarQube 5.2,LDAP 插件 1.5:com4j.ComException
SonarQube 5.2, LDAP plugin 1.5: com4j.ComException
从 LDAP 1.4 升级后无法登录 AD。在 TRACE 日志中记录了以下错误消息:
DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: xxxxxx
ERROR web[rails] Error from external users provider: exception Java::Com4j::ExecutionException: com4j.ComException: 8007203a Failed to MkParseDisplayName : The server is not operational. : .\com4j.cpp:217
从 sonar.properties 中删除 LDAP 设置没有帮助。降级到 LDAP 1.4 后,一切都恢复正常。我们是否错过了一些配置设置?
Please go through the new changes and try the below mentioned settings.
LDAP 1.5 plugin is using Waffle to support Windows Authentication and SSO on Windows OS.
LDAP in Windows auth mode supports two ways of login from browser:
1.Single sign On
SSO will be performed on hitting any SonarQube url other than /sessions/login .
Only domain users are supported through SSO.
2.Form based login from /sessions/login page
Domain users
Login: <domain\alias> or alias@domain or alias
Password: <domain credentials>
Technical users
Login: <username>
Password: <password>
On logout, users will be presented login page ( /sessions/login),
where he can choose to login as technical user or domain user by
passing appropriate credentials.
For those users who are already using previous version of LDAP plugin to
connect to Microsoft AD and have already defined authorization in terms of those
users and group name use following settings in Windows OS:
# LDAP configuration
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.log.level=DEBUG (For debugging purpose, remove this if you don't see any issue)
ldap.windows.auth=true
-----------------------------------------------------------------------
Default protocol is NTLM which should work for most of the scenarios.
Troubleshooting NTLM
◦Enabling NTLM Logging
http://goo.gl/3LhU6E
If you want to use Kerberos "Negotiate" protocol please use the following steps.
Negotiate Authentication Steps:
For negotiate authentication to work make sure following steps are followed:
1.Browser Configuration
Waffle link: Configuring Browsers (IE/Firefox)
https://goo.gl/vcPnrk
2.Kerberos setup
Make sure that user has privilege for Kerberos delegation
setspn -L username
To add preivileges to the current user run
setspn -S HTTP/machine:port machine
example:
setspn -S HTTP/machine:9000 machine
3.The SonarQube application is running as a service(NT service)
Troubleshooting Resources
1.Useful Kerberos troubleshooting resources
◦Enabling Kerberos Logging
http://support.microsoft.com/kb/262177/en-us
◦Troubleshooting Kerberos Delegation
http://www.microsoft.com/en-us/download/confirmation.aspx?id=4754
修复此问题的 LDAP 插件 1.5.1(LDAP-49 已发布,可从 SonarQube 的更新中心下载。
参考SonarQube LDAP plugin documentation页:
LDAP 1.5.1 – 2015 年 12 月 2 日 – 兼容 SonarQube 5.2+
Active Directory 环境的错误修复
从 LDAP 1.4 升级后无法登录 AD。在 TRACE 日志中记录了以下错误消息:
DEBUG web[o.s.p.l.w.WindowsUsersProvider] Requesting details for user: xxxxxx
ERROR web[rails] Error from external users provider: exception Java::Com4j::ExecutionException: com4j.ComException: 8007203a Failed to MkParseDisplayName : The server is not operational. : .\com4j.cpp:217
从 sonar.properties 中删除 LDAP 设置没有帮助。降级到 LDAP 1.4 后,一切都恢复正常。我们是否错过了一些配置设置?
Please go through the new changes and try the below mentioned settings.
LDAP 1.5 plugin is using Waffle to support Windows Authentication and SSO on Windows OS.
LDAP in Windows auth mode supports two ways of login from browser:
1.Single sign On
SSO will be performed on hitting any SonarQube url other than /sessions/login .
Only domain users are supported through SSO.
2.Form based login from /sessions/login page
Domain users
Login: <domain\alias> or alias@domain or alias
Password: <domain credentials>
Technical users
Login: <username>
Password: <password>
On logout, users will be presented login page ( /sessions/login),
where he can choose to login as technical user or domain user by
passing appropriate credentials.
For those users who are already using previous version of LDAP plugin to
connect to Microsoft AD and have already defined authorization in terms of those
users and group name use following settings in Windows OS:
# LDAP configuration
sonar.security.realm=LDAP
ldap.windows.compatibilityMode=true
sonar.log.level=DEBUG (For debugging purpose, remove this if you don't see any issue)
ldap.windows.auth=true
-----------------------------------------------------------------------
Default protocol is NTLM which should work for most of the scenarios.
Troubleshooting NTLM
◦Enabling NTLM Logging
http://goo.gl/3LhU6E
If you want to use Kerberos "Negotiate" protocol please use the following steps.
Negotiate Authentication Steps:
For negotiate authentication to work make sure following steps are followed:
1.Browser Configuration
Waffle link: Configuring Browsers (IE/Firefox)
https://goo.gl/vcPnrk
2.Kerberos setup
Make sure that user has privilege for Kerberos delegation
setspn -L username
To add preivileges to the current user run
setspn -S HTTP/machine:port machine
example:
setspn -S HTTP/machine:9000 machine
3.The SonarQube application is running as a service(NT service)
Troubleshooting Resources
1.Useful Kerberos troubleshooting resources
◦Enabling Kerberos Logging
http://support.microsoft.com/kb/262177/en-us
◦Troubleshooting Kerberos Delegation
http://www.microsoft.com/en-us/download/confirmation.aspx?id=4754
修复此问题的 LDAP 插件 1.5.1(LDAP-49 已发布,可从 SonarQube 的更新中心下载。
参考SonarQube LDAP plugin documentation页:
LDAP 1.5.1 – 2015 年 12 月 2 日 – 兼容 SonarQube 5.2+ Active Directory 环境的错误修复