LDAP Sync

Currently configuring a new TeamCity 9.1.1 server to replace a 7.* one.
Having some troubles getting LDAP sync to work properly...

===================================================
ldap-config.properties

java.naming.provider.url=ldap://<fqdn>:389/DC=something,DC=something
java.naming.security.principal=CN=<something>,OU=<something>,OU=<something>,DC=<something>,DC=<something>
java.naming.security.credentials=<currently removed>
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName

# User synchronization is on, synchronize display name and e-mail
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

# Automatic user creation and deletion of obsolete users during users synchronization
teamcity.options.users.synchronize.createUsers=true
teamcity.options.createUsers=true
teamcity.options.users.synchronize.deleteUsers=true
teamcity.options.deleteUsers=true

# Group synchronization is on
teamcity.options.groups.synchronize=true

# The group search LDAP filter used to retrieve groups to synchronize.
# The result includes all the groups configured in the ldap-mapping.xml file.

teamcity.groups.filter=(objectClass=group)

# The LDAP attribute of a group storing its members.
teamcity.groups.property.member=member

===================================================
ldap-mapping.xml

<mapping>
   <group-mapping teamcityGroupKey="ADMINS" ldapGroupDn="CN=<something>,OU=<something>,OU=<something>,DC=<something>,DC=<something>"/>
<group-mapping teamcityGroupKey="USERS" ldapGroupDn="CN=<something>,OU=<something>,OU=<something>,DC=<something>,DC=<something>"/>
</mapping>
===================================================

So far it's working fine. members are imported and added to the right groups in TeamCity.
However, besides that ALL user objects are imported into teamcity and are even allowed to login.

How can i make it so that the sync ONLY imports the users in the AD specific groups?

Thanks in advance!

4 comments
Comment actions Permalink

Hi Bart,

Was LDAP configured in TeamCity 7? If so, the same settings should work the same way.

So the question is

> How can i make it so that the sync ONLY imports the users in the AD specific groups?

The set of users who can login into TeamCity is set via "teamcity.users.login.filter" property.
The set of users TeamCity works with during synchronization is set using "teamcity.users.filter" property.

You can update the LDAP queries in the properties like mentioned in the comment.

I would not use "teamcity.options.users.synchronize.*" properties as they are introduced as experimental ones and might be not supported in the future TeamCity versions. If you have group synchronization working, removing the property will limit the set of created/deleted users to those within the mapped gorups. So just removing the properties might be almost what you need.

0
Comment actions Permalink

Hi Yegor,

No, the v7 is only using local authentication & authorisation.
I'll have a closer look at your info this weekend and let you know the results.

Thanks for the reply!

0
Comment actions Permalink

ok, found it. Took quite some time to get it working properly.

I think there is a fault in the last example on https://confluence.jetbrains.com/display/TCD9/Typical+LDAP+Configurations

Alternatively, you can list several groups:

teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=GroupOne,OU=myou,DC=company,DC=tld)(memberOf=CN=GroupTwo,OU=myou,DC=company,DC=tld))


Should be:

teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=GroupOne,OU=myou,DC=company,DC=tld)(memberOf=CN=GroupTwo,OU=myou,DC=company,DC=tld)))

... A missing ) at the end ...


At least that's what solved the problem for me.

This is what worked for me:

java.naming.provider.url=ldap://<fqdn>:389/DC=<something>,DC=<tld> ldap://<backupfqdn>:389/DC=<something>,DC=<tld>
java.naming.security.principal=CN=<ldapqueryaccount>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>
java.naming.security.credentials=<your password>
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName


# User synchronization is on, synchronize display name and e-mail
teamcity.options.users.synchronize=true
teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=<group1>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>)(memberOf=CN=<group2>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>)))
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail


# Automatic user creation and deletion of obsolete users during users synchronization
teamcity.options.createUsers=true
teamcity.options.deleteUsers=true


# Group synchronization is on
teamcity.options.groups.synchronize=true


# The group search LDAP filter used to retrieve groups to synchronize.
# The result includes all the groups configured in the ldap-mapping.xml file.

teamcity.groups.filter=(objectClass=group)


# The LDAP attribute of a group storing its members.
teamcity.groups.property.member=member



Mapping file:

<mapping>
<group-mapping teamcityGroupKey="<yourTCgroup1name>" ldapGroupDn="CN=<group1>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>"/>
<group-mapping teamcityGroupKey="<yourTCgroup2name>" ldapGroupDn="CN=<group2>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>"/>
</mapping>

0
Comment actions Permalink

Bart,

Thank you for the update and pointing to the error!

I have corrected the expression in the documentation.

0

Please sign in to leave a comment.