LDAP-AD: Need to access multiple locations for users base

There are three different employee directories that I need to reference for authentication via LDAP.

ou=employees,ou=orga,dc=domain,dc=com
ou=employees,ou=orgb,dc=domain,dc=com
ou=employees,ou=orgc,dc=domain,dc=com

My first thought was to just run from the directory root (so that teamcity.users.base is empty). Unfortunately, the directory is so large that Teamcity throws an error citing too much data. So I need to be more exacting in where I draw my data from.

That got me to consider loading teamcity.users.base with the three locations.Something like

teamcity.users.base="ou=employees,ou=orga ou=employees,ou=orgb ou=employees,ou=orgc"

while keeping java.naming.provider.url to the top level of the directory.

Unfortunately, I can't seem to get this to work. It looks like I can only select a single DN from this variable.

So I think I'm in a catch-22. I can't go from the root due to too large a directory, and if I push down into any one subtree, the other two will be exclued.

Some products such as Jira have the means to create multiple LDAP lookup specs, one for each location you want to get to. It doesn't look like Teamcity has this capability. So I'm looking for ideas.

1 comment
Comment actions Permalink

Hi Keith,

The first solution is to configure to point on the directory root and use filters: teamcity.users.login.filter. See the realted issue and doc section.
Another approach is to solve this issue on Active Directory side. You can create additional TeamCity Users group in AD, and add all your current groups to members of this one. For more details see the related comment.

0

Please sign in to leave a comment.