LDAP Sync

Hi Bart,

Was LDAP configured in TeamCity 7? If so, the same settings should work the same way.

So the question is

> How can i make it so that the sync ONLY imports the users in the AD specific groups?

The set of users who can login into TeamCity is set via "teamcity.users.login.filter" property.
The set of users TeamCity works with during synchronization is set using "teamcity.users.filter" property.

You can update the LDAP queries in the properties like mentioned in the comment.

I would not use "teamcity.options.users.synchronize.*" properties as they are introduced as experimental ones and might be not supported in the future TeamCity versions. If you have group synchronization working, removing the property will limit the set of created/deleted users to those within the mapped gorups. So just removing the properties might be almost what you need.

Hi Yegor,

No, the v7 is only using local authentication & authorisation.
I'll have a closer look at your info this weekend and let you know the results.

Thanks for the reply!

ok, found it. Took quite some time to get it working properly.

I think there is a fault in the last example on https://confluence.jetbrains.com/display/TCD9/Typical+LDAP+Configurations

Alternatively, you can list several groups:

teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=GroupOne,OU=myou,DC=company,DC=tld)(memberOf=CN=GroupTwo,OU=myou,DC=company,DC=tld))

Should be:

teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=GroupOne,OU=myou,DC=company,DC=tld)(memberOf=CN=GroupTwo,OU=myou,DC=company,DC=tld)))

... A missing ) at the end ...


At least that's what solved the problem for me.

This is what worked for me:

java.naming.provider.url=ldap://<fqdn>:389/DC=<something>,DC=<tld> ldap://<backupfqdn>:389/DC=<something>,DC=<tld>
java.naming.security.principal=CN=<ldapqueryaccount>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>
java.naming.security.credentials=<your password>
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName

# User synchronization is on, synchronize display name and e-mail
teamcity.options.users.synchronize=true
teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=<group1>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>)(memberOf=CN=<group2>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>)))
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

# Automatic user creation and deletion of obsolete users during users synchronization
teamcity.options.createUsers=true
teamcity.options.deleteUsers=true

# Group synchronization is on
teamcity.options.groups.synchronize=true

# The group search LDAP filter used to retrieve groups to synchronize.
# The result includes all the groups configured in the ldap-mapping.xml file.
teamcity.groups.filter=(objectClass=group)

# The LDAP attribute of a group storing its members.
teamcity.groups.property.member=member


Mapping file:

<mapping>
<group-mapping teamcityGroupKey="<yourTCgroup1name>" ldapGroupDn="CN=<group1>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>"/>
<group-mapping teamcityGroupKey="<yourTCgroup2name>" ldapGroupDn="CN=<group2>,OU=<something>,OU=<something>,DC=<something>,DC=<tld>"/>
</mapping>

Bart,

Thank you for the update and pointing to the error!

I have corrected the expression in the documentation.