LDAP credentials
I am very new to TeamCity and LDAP, so any help that you can give will be greatly appreciated.
I am trying to set it up so when a user logs into TeamCity that it will retrieve their email address and display name and populate the entries into their new account in TeamCity.
In the auth-config.xml file, I have:
<auth-module type="LDAP" />
<auth-module type="NT-Domain">
<!-- "allowCreatingNewUsersByLogin" property specifies what TeamCity must do when user specifies correct
NT domain username and password, but does not yet exist in TeamCity (so on first successful login via NT domain).
"true" (default) means to allow login and create such TeamCity user, while "false" means to deny login for such user. -->
<property key="allowCreatingNewUsersByLogin">true</property>
<!-- With "defaultDomain" property specified users can login using just their domain usernames without domain itself. -->
<property key="defaultDomain">FOO</property>
</auth-module>
<auth-module type="Default">
<property key="freeRegistrationAllowed">true</property>
</auth-module>
<auth-module type="HTTP-Basic"/>
</auth-modules>
In the ldap-config.properties file, I have:
java.naming.provider.url=ldap://ad.foo.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.credentials=<<The password for TCService>>
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
The error that I get is:
[2015-02-11 15:54:40,317] DEBUG - jetbrains.buildServer.LDAP - Loading LDAP properties (login)
[2015-02-11 15:54:40,317] DEBUG - jetbrains.buildServer.LDAP - Constructed filter '(sAMAccountName=first.last)' from teamcity.users.login.filter=(sAMAccountName=first.last)
[2015-02-11 15:54:40,317] DEBUG - jetbrains.buildServer.LDAP - Using perSearch connection creation.
[2015-02-11 15:54:40,317] DEBUG - jetbrains.buildServer.LDAP - Base environment properties: {java.naming.referral=follow, java.naming.provider.url=ldap://ad.FOO.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local, java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local}
[2015-02-11 15:54:40,321] WARN - jetbrains.buildServer.LDAP - LDAP search operation returned an error while searching for user entry by 'first.last' to perform bind. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', full DN is recommended) and 'java.naming.security.credentials' property. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]
[2015-02-11 15:54:40,321] DEBUG - jetbrains.buildServer.LDAP - Details: search base: 'CN=users' (set by 'teamcity.users.base' property), search filter: '(sAMAccountName=first.last)' (set by 'teamcity.users.login.filter' property), properties: { teamcity.users.property.displayName: 'displayName', teamcity.users.property.email: 'mail', java.naming.security.credentials: '<<The password for TCService>>', teamcity.users.filter: '(objectClass=user)', teamcity.options.users.synchronize: 'true', teamcity.users.username: 'sAMAccountName', java.naming.provider.url: 'ldap://ad.FOO.local:389/CN=TCUsers,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', teamcity.property.distinguishedName: 'distinguishedName', java.naming.security.principal: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', teamcity.users.base: 'CN=users', teamcity.groups.base: '', teamcity.users.login.filter: '(sAMAccountName=$capturedLogin$)', teamcity.options.groups.synchronize: 'false'}
jetbrains.buildServer.serverSide.ldap.LdapError: LDAP search operation returned an error while searching for user entry by 'first.last' to perform bind. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local', full DN is recommended) and 'java.naming.security.credentials' property. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v23f0]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error,data 52e, v23f0]
Any help would be great! Thanks.
Please sign in to leave a comment.
Hi,
Sorry for delay in replying.
java.naming.provider.url should point to the Domain Component without specific containers, like this:
java.naming.provider.url=ldap://ad.foo.local:389/DC=ad,DC=FOO,DC=localteamcity.users.base=OU=Users,OU=FOOteamcity.users.filter filters specific users. The recommended approach is to leave teamcity.users.base empty and configure filter like this:
For more details see the related issue - https://youtrack.jetbrains.com/issue/TW-7800#comment=27-564755.Also you should enable user synhronization:
teamcity.users.username=sAMAccountName
Thank you for your response. Here is my current properties ldap-config.properties file:
-----------------
java.naming.provider.url=ldap://ad.FOO.local:389/DC=ad,DC=FOO,DC=local
# Login using 'sAMAccountName' value.
teamcity.auth.formatDN=FOO\\$login$
#teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
# LDAP credentials for TeamCity plugin.
java.naming.security.principal=CN=TCService,OU=Users,OU=FOO,DC=ad,DC=FOO,DC=local
java.naming.security.credentials=<<PWD>>
# User synchronization: on, synchronize display name and e-mail.
teamcity.options.users.synchronize=true
#teamcity.users.base=CN=users
#teamcity.users.filter=(objectClass=user)
teamcity.users.base=OU=Users,OU=FOO
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
# Group synchronization: disabled.
teamcity.options.groups.synchronize=false
-----------------
Do you see anything that needs fixed? I am still slowly understanding this.
Thank you.
Looks correct. Try to run LDAP synchronization, to debug it you can also review teamcity-ldap.log file.
I don't know, I can't get it to work and I am about to give up.
Attached you will find three files, my ldap-config.properties file, auth-config.xml file and the teamcity-ldap.log file. Any more help would be appreciated. I am pulling out my hair and there wasn't much to begin with.
Thanks.
Attachment(s):
teamcity-ldap.log.zip
auth-config.xml
ldap-config.properties.zip
Could you please try to send request to LDAP server using dsquery tool to check that java.naming.security.principal is configured correctly:
dsquery * -server <domain name> -filter (samaccountname=username)
I didn't use the filter and then search for the one in question. I found:
"CN=Team City,OU=Users,OU=CODIS,DC=ad,DC=codis,DC=local" << The login ID is TCService
I use that ID and its password to log into ADExplorer.exe with no problem.
Now when I put that information into the ldap-config.properties file and try to sync, I get "LDAP Server says: No such object".
Used search base: 'OU=FOO,OU=Users' (set by 'teamcity.users.base' property, should be relative to the value of 'java.naming.provider.url'). Original error: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=ad,DC=FOO,DC=local']; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=ad,DC=FOO,DC=local']; remaining name 'OU=FOO,OU=Users'
When I put in TCService (instead of Team City), I get the other error that I have mentioned above. Our IT guy has looked things over and just doesn't understand why it isn't working as the DN he gave me is being used for other things.
Thanks.
For the filter, where does the ":1.2.840.113556.1.4.1941" come from?
Please see the related ticket https://youtrack.jetbrains.com/issue/TW-7800 and the comment.
For more details see https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx.