Timeout using basic LDAP login for users in a specific LDAP group

Hello,

we are trying to setup the basic LDAP login for users in a specific LDAP group. The AD structure looks like

Domain.Company.corp

-          APAC

o   City A

o  Users

o   City B

o  Users

-          EMEA

o   City C

o  Users

o   City D

o  Users

-          Americas

o   City E

o  Users

o   City F

o  Users


The

teamcity.users.login.filter 
group contains users from the different regions. Now we tried to set the base group to the root domain in the following ways:

java.naming.provider.url=ldap://AD-Controller:389

teamcity.users.base=DC=Domain,DC=Company,DC=corp

or

java.naming.provider.url=ldap://AD-Controller:389/DC=Domain,DC=Company,DC=corp

teamcity.users.base=

However, in both cases we run into a connection timeout.

The base group contains around 15k users. The filtered users (the one that need to logon to TeamCity) are around 100.

Is there a way to increase the timeout using the above setup?

As, changes in the current AD structure are not possible, is there another way to load the users base which then gets filtered?

Regards,

Helios

14 comments
Comment actions Permalink

Hello,

let me rephrase the question: How can TC be setup to allow access only to users belonging to a specific AD group?
The timeout we are getting is when setting the whole organization unit group as OU (15k users) and then use the specific group (100 users) to be filtered. This specific group contains only developers from the different region's Users groups. The tests have been made using TC 7.1.3.

Thanks,
Helios

0
Comment actions Permalink

Hi,

First of all, you can control the timeout for LDAP operations since Java 6: you can define the property
com.sun.jndi.ldap.read.timeout
(as described in http://docs.oracle.com/javase/tutorial/jndi/newstuff/readtimeout.html )
and TeamCity should fetch it.

Next, if you'd like to filter users by group membership, there is a way to include "memberof" in a filter (LDAP server support is required):

filter=(memberof=cn=Developers,ou=Groups,ou=Work)


If there are no so many users matching the filter, you shouldn't run into timeout.


--
Maxim
0
Comment actions Permalink

Hi,

setting up the filter is working.
The problem we have is that we need to specify the base to be DC=Domain because users are defined in different OUs (APAC, EMEA, Americas).
If we set the base to e.g. OU=EMEA the EMEA users can logon successfully.
It looks like when using the base=DC=Domain the LDAP search doesn't iterate through the different OUs.

The error message is:
nested exception is javax.naming.NameNotFoundException
Most common reason for this error: LDAP server couldn't resolve the path specified in base DN.
Please verify the following properties:
  java.naming.provider.url
  teamcity.users.base
  teamcity.groups.base
and make sure the base DN is relative to the root DN (specified in java.naming.provider.url)

Thanks,
Helios

0
Comment actions Permalink

Hi,

What is your "java.naming.provider.url" and what is your "teamcity.users.base"?



--
Maxim

0
Comment actions Permalink

Please refer to the first post for the two ways we tried.

0
Comment actions Permalink

Hi,

So, you set:
java.naming.provider.url=ldap://AD-Controller:389/DC=Domain,DC=Company,DC=corp
teamcity.users.base=

and got a NameNotFoundException?

That seems very strange to me. I guess you wouldn't got a connection timeout error, as you wrote previously, because LDAP can't do any search by invalid path.
If that is so, please provide more details: logs with DEBUG, stacktraces (can do it in our issue tracker if you're concerned about privacy).


--
Maxim

0
Comment actions Permalink

That are the two options we tried. The timeout and current state is the one with the defined teamcity.users.base.

0
Comment actions Permalink

Sorry, I don't understand what is the actual problem now and with what settings.
Please create an issue at http://youtrack.jetbrains.com/ and attach all relevant data.


--
Maxim

0
Comment actions Permalink

Hi,

it looks like the users search is not recursive. Just found this thread discussing exactly the same problem.
http://devnet.jetbrains.com/message/5247399

This issue could be fixed when either having a way to define multiple user base DNs or without a base and the search will be recursive.
Not sure what the solution for the other thread was.

Thanks,
Helios

0
Comment actions Permalink

Hi,

The search is always recursive. I didn't look at the thread you posted, but we have verified that and LDAP plugin is used in many big companies (where recursive search is a must).
If you turn on DEBUG logging, you should see the line like "Performing search in LDAP: ... scope=<value>...". If scope is 2, it means subtree scope.
Do you see it?


--
Maxim

0
Comment actions Permalink

Yes, scope=2 is in the log.

0
Comment actions Permalink

OK. Why do you think it wasn't working?

0
Comment actions Permalink
Setting teamcity.users.base= or teamcity.users.base=DC=Domain,DC=Company,DC=corp doesn't find the user. Only when adding the OU (e.g. EMEA) then it works, but obviously only for users belonging to the EMEA users group. As shown in the example in the first post the user groups are defined below the different locations. What do we need to add to the base so that all subdirectories are included in the search for a user? Is there a way to set multiple OUs to the base?
0
Comment actions Permalink

Hi,

I've created an issue in our tracker: http://youtrack.jetbrains.com/issue/TW-28757
Though I am absolutely sure TeamCity requests to find users recursively, there still can be something that we missed.
It would be helpful if you attach your configuration files and logs to the issue.


--
Maxim

0

Please sign in to leave a comment.