SonarQube token access when LDAP is enabled

Asked 19/1, 2018 at 18:23 Answered 23/2, 2022 at 6:27

Solved maven ldap sonarqube sonarqube-scan

Just stood up a brand new SonarQube 6.7.1 server and configured it to authenticate users via the LDAP plugin (2.2 build 608). So far so good.

However, when users trying to run a command line scan using maven with a token:

mvn sonar:sonar -Dsonar.login=438fd33be6d6e5c9146c674717fea4675f0eb

...they get the following error:

Not authorized. Please check the properties sonar.login and sonar.password.

The Sonar logs are showing:

2018.01.19 18:20:14 DEBUG web[AWELLmgpg7dbJTF2AALW][o.s.p.l.LdapUsersProvider] User 438fd33be6d6e5c9146c674717fea4675f0eb not found in <default> 2018.01.19 18:20:14 DEBUG web[AWELLmgpg7dbJTF2AALW][auth.event] login failure [cause|No user details][method|BASIC][provider|REALM|LDAP]

This makes it look like Sonar's LDAP plugin is attempting to look up a user on LDAP whose name would be the access token. Clearly this isn't going to work!

We are using sonar maven plugin version 3.4.0.905.

Edit: The same token works from IntelliJ SonarLint. Which seems to point to the Maven plugin being at fault here.

Nephritis answered 19/1, 2018 at 18:23 Comment(6)

Are you sure that users didn't add sonar.password parameter with any value? – Subternatural 21/1, 2018 at 9:11

That's a good guess, but no, the password parameter was empty – Nephritis 21/1, 2018 at 13:52

Are you sure you have the correct token value? Maybe a character got dropped off the end? Or were you able to use this token successfully before you enabled LDAP auth? Also, please edit your question to include some version numbers: SQ, LDAP plugin, [anything else relevant-seeming]. – Estrella 22/1, 2018 at 7:40

I added the version numbers for everything. I doubled checked the token value, and it was correct. I also verified that the token works from SonarLint. This is a brand new server so we have no history here... – Nephritis 22/1, 2018 at 14:15

Please execute mvn help:evaluate -Dexpression="sonar.login" and mvn help:evaluate -Dexpression="sonar.password". Off course add also all parameters which you are appended to mvn sonar:sonar. – Subternatural 24/1, 2018 at 10:23

@Subternatural - thank you for the suggestion!!! It turns out the password value as not empty, it was admin. It must be a Maven default. – Nephritis 24/1, 2018 at 16:12

Thanks to @agabrys for the tip.

Running this Maven command:

mvn clean verify help:evaluate -Dexpression="sonar.password" -Dsonar.login=438fd33be6d6e5c9146c674717fea4675f0eb

Returned:

admin

In order to accept the token, then password must be empty. It must be the Maven sonar plugin that is setting this default password!! Setting the default password to empty via this:

mvn clean verify sonar:sonar -Dsonar.password= -Dsonar.login=438fd33be6d6e5c9146c674717fea4675f0eb

Worked.

Nephritis answered 24/1, 2018 at 16:17 Comment(4)

mvn clean verify help:evaluate -Dexpression="sonar.password" -Dsonar.login=438fd33be6d6e5c9146c674717fea4675f0eb command doesn't execute sonar-maven-plugin, so password cannot be set by it. If pom.xml files don't contain sonar.password then it must be hardcoded in settings.xml. – Subternatural 24/1, 2018 at 21:36

I realize it is not the help plug-in that is setting the password it is the maven sonar plug-in itself that is setting the password. I have not said that password in any file we have here – Nephritis 24/1, 2018 at 23:23

The docs for sonarqube docs.sonarqube.org/display/SONAR/User+Token say that sonar.password is "optional" - clearly this is a lie. – Cease 27/3, 2018 at 12:54

Wasted a full day on this and including -Dsonar.password= (with no password) along with -Dsonar.login=<MY_TOKEN_ID> finally worked! – Camilia 13/1, 2022 at 11:38

If it still refuses to work after adding the empty password option, try adding a space after -D

Sequin answered 23/2, 2022 at 6:27 Comment(0)

Recommended topics

Hot tags