LDAP credentials

Answered

I am very new to TeamCity and LDAP, so any help that you can give will be greatly appreciated.

I am trying to set it up so when a user logs into TeamCity that it will retrieve their email address and display name and populate the entries into their new account in TeamCity.

In the auth-config.xml file, I have:
<auth-module type="LDAP" />
        <auth-module type="NT-Domain">
            <!-- "allowCreatingNewUsersByLogin" property specifies what TeamCity must do when user specifies correct
                 NT domain username and password, but does not yet exist in TeamCity (so on first successful login via NT domain).
                 "true" (default) means to allow login and create such TeamCity user, while "false" means to deny login for such user. -->
            <property key="allowCreatingNewUsersByLogin">true</property>
 <!-- With "defaultDomain" property specified users can login using just their domain usernames without domain itself. -->
            <property key="defaultDomain">FOO</property>
        </auth-module>
 <auth-module type="Default">
 <property key="freeRegistrationAllowed">true</property>
 </auth-module>
 <auth-module type="HTTP-Basic"/>
    </auth-modules>


In the ldap-config.properties file, I have:
java.naming.provider.url=ldap://ad.foo.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.credentials=<<The password for TCService>>
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail


The error that I get is:
[2015-02-11 15:54:40,317]  DEBUG -     jetbrains.buildServer.LDAP - Loading LDAP properties (login)
[2015-02-11 15:54:40,317]  DEBUG -     jetbrains.buildServer.LDAP - ------ Starting login sequence for user-entered login: 'first.last' ------
[2015-02-11 15:54:40,317]  DEBUG -     jetbrains.buildServer.LDAP - Constructed filter '(sAMAccountName=first.last)' from teamcity.users.login.filter=(sAMAccountName=first.last)
[2015-02-11 15:54:40,317]  DEBUG -     jetbrains.buildServer.LDAP - Using perSearch connection creation.
[2015-02-11 15:54:40,317]  DEBUG -     jetbrains.buildServer.LDAP - Base environment properties: {java.naming.referral=follow, java.naming.provider.url=ldap://ad.FOO.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local, java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local}
[2015-02-11 15:54:40,321]   WARN -     jetbrains.buildServer.LDAP - LDAP search operation returned an error while searching for user entry by 'first.last' to perform bind. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', full DN is recommended) and 'java.naming.security.credentials' property. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
[2015-02-11 15:54:40,321]  DEBUG -     jetbrains.buildServer.LDAP - Details: search base: 'CN=users' (set by 'teamcity.users.base' property), search filter: '(sAMAccountName=first.last)' (set by 'teamcity.users.login.filter' property), properties: { teamcity.users.property.displayName: 'displayName', teamcity.users.property.email: 'mail', java.naming.security.credentials: '<<The password for TCService>>', teamcity.users.filter: '(objectClass=user)', teamcity.options.users.synchronize: 'true', teamcity.users.username: 'sAMAccountName', java.naming.provider.url: 'ldap://ad.FOO.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', teamcity.property.distinguishedName: 'distinguishedName', java.naming.security.principal: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', teamcity.users.base: 'CN=users', teamcity.groups.base: '', teamcity.users.login.filter: '(sAMAccountName=$capturedLogin$)', teamcity.options.groups.synchronize: 'false'}
jetbrains.buildServer.serverSide.ldap.LdapError: LDAP search operation returned an error while searching for user entry by 'first.last' to perform bind. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', full DN is recommended) and 'java.naming.security.credentials' property. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error,data 52e, v23f0]


Any help would be great! Thanks.
8 comments
Comment actions Permalink

Hi,

Sorry for delay in replying.
java.naming.provider.url should point to the Domain Component without specific containers, like this:

java.naming.provider.url=ldap://ad.foo.local:389/DC=ad,DC=FOO,DC=local
teamcity.users.base points to organizational units:
teamcity.users.base=OU=Users,OU=FOO

teamcity.users.filter filters specific users. The recommended approach is to leave teamcity.users.base empty and configure filter like this:
teamcity.users.filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=TeamCity Users,OU=Accounts,DC=domain,DC=com))
For more details see the related issue - https://youtrack.jetbrains.com/issue/TW-7800#comment=27-564755.

Also you should enable user synhronization:
teamcity.options.users.synchronize=true

teamcity.users.username=sAMAccountName
0
Comment actions Permalink

Thank you for your response.  Here is my current properties ldap-config.properties file:

-----------------

java.naming.provider.url=ldap://ad.FOO.local:389/DC=ad,DC=FOO,DC=local

# Login using 'sAMAccountName' value.
teamcity.auth.formatDN=FOO\\$login$
#teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)

# LDAP credentials for TeamCity plugin.
java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.credentials=<<PWD>>

# User synchronization: on, synchronize display name and e-mail.
teamcity.options.users.synchronize=true
#teamcity.users.base=CN=users
#teamcity.users.filter=(objectClass=user)
teamcity.users.base=OU=Users,OU=FOO
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

# Group synchronization: disabled.
teamcity.options.groups.synchronize=false


-----------------

Do you see anything that needs fixed?  I am still slowly understanding this.

Thank you.
0
Comment actions Permalink

Looks correct. Try to run LDAP synchronization, to debug it you can also review teamcity-ldap.log file.

0
Comment actions Permalink

I don't know, I can't get it to work and I am about to give up.

Attached you will find three files, my ldap-config.properties file, auth-config.xml file and the teamcity-ldap.log file.  Any more help would be appreciated.  I am pulling out my hair and there wasn't much to begin with.

Thanks.



Attachment(s):
teamcity-ldap.log.zip
auth-config.xml
ldap-config.properties.zip
0
Comment actions Permalink

Could you please try to send request to LDAP server using dsquery tool to check that java.naming.security.principal is configured correctly:
dsquery * -server <domain name> -filter (samaccountname=username)

0
Comment actions Permalink

I didn't use the filter and then search for the one in question.  I found:

"CN=Team City,OU=Users,OU=CODIS,DC=ad,DC=codis,DC=local"  << The login ID is TCService

I use that ID and its password to log into ADExplorer.exe with no problem.


Now when I put that information into the ldap-config.properties file and try to sync, I get "LDAP Server says: No such object".

Wrong DN or root URL configured? Used root URL: 'ldap://ad.FOO.local:389/DC=ad,DC=FOO,DC=local' (set by 'java.naming.provider.url' property)
Used search base: 'OU=FOO,OU=Users' (set by 'teamcity.users.base' property, should be relative to the value of 'java.naming.provider.url'). Original error: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=ad,DC=FOO,DC=local']; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=ad,DC=FOO,DC=local']; remaining name 'OU=FOO,OU=Users'


When I put in TCService (instead of Team City), I get the other error that I have mentioned above.  Our IT guy has looked things over and just doesn't understand why it isn't working as the DN he gave me is being used for other things.

Thanks.
0
Comment actions Permalink

For the filter, where does the ":1.2.840.113556.1.4.1941" come from?

0

Please sign in to leave a comment.