Automatic user creation during tc-ldap synchronization

I have a question about TeamCity and ldap integration.

Is it possible to create users during synchronization with ldap ? Let  say I have 100 users in our ldap they are assigned on OU (organization  unit)  level. I don't want o ask all 100 developers to loging to TC, I  would rather have their accounts created automatically during first  synchronization with ldap.

I was able to configure authorization trough ldap, but users are only created if they login to TC. Logs looks like:

[2011-05-30 09:32:55,186]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP users done
[2011-05-30 09:32:55,186]   INFO -     jetbrains.buildServer.LDAP - Last  syncronization statistics: created users=0, updated users=0, removed  users=0, users in ldap=100, matched users=1, duration=47ms, errors=[]


Right now there is only one user and his account was created by login to teamcity.
My ldap-config.properties:

java.naming.provider.url=ldap://ourdomain.com:1234/dc=ourdomain,dc=com
  
java.naming.security.principal=xxxxxx
java.naming.security.credentials=yyyyy

teamcity.options.users.synchronize=true

teamcity.options.groups.synchronize=false

teamcity.options.createUsers=true

teamcity.options.deleteUsers=false
teamcity.options.syncTimeout=3600000

teamcity.users.login.filter=(cn=$capturedLogin$)


teamcity.users.base=OU=DEVS

teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName


Any advice how to make that working ?

7 comments
Comment actions Permalink

> Is it possible to create users during synchronization with ldap ?
Yes, as you can see there are properties for this.

Do you any errors during the sync? What are the DNs of users that should've been created?
Please turn on debug logging, the log should then contain all necessary information.


---
Maxim

0
Comment actions Permalink

Let say I want TC account for user 'artur' created during synchronization, DN of that user is:  CN=artur,OU=DEVS,DC=ourdomain,DC=com

This is part of log, I've removed all but 'arur' user to make this log shorted.

[2011-05-30 14:03:53,446]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP users started ------
[2011-05-30 14:03:53,571]  DEBUG -     jetbrains.buildServer.LDAP -  Performing search in LDAP: base='OU=DEVS', filter='(objectClass=user)',  scope=2', attributes=[CN]
[2011-05-30 14:03:54,384]  DEBUG -     jetbrains.buildServer.LDAP - LDAP search result: CN=artur: null:null:{cn=cn: artur}
[...cutted 99 rows with other users....]    

[2011-05-30 14:03:54,509]  DEBUG -     jetbrains.buildServer.LDAP - Fetched users: [

   [user:username=artur,dn='CN=artur,OU=DEVS,DC=ourdomain,DC=com',displayName=null,email=null,customProperties={}]
  [...cutted 99 rows with other users....]    
]
[2011-05-30 14:03:54,524]  DEBUG -     jetbrains.buildServer.LDAP - LDAP synchronization for user 'dch' done
[2011-05-30 14:03:54,649]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP users done
[2011-05-30 14:03:54,649]   INFO -     jetbrains.buildServer.LDAP - Last  syncronization statistics: created users=0, updated users=0, removed  users=0, users in ldap=100, matched users=1, duration=1203ms,  errors=[]   


There are no errors in logs, its probably wrong configuration of ldap-config.properties on my side.

BTW User 'dch' was creating by login to TC.

0
Comment actions Permalink

Hi Daniel,

Thanks for the report.
I think I know what's the problem. Users creation / deletion is part of group synchronization, not users. That is during group synchronization the plugin understands that some of the members should be in TeamCity, but don't exist, and at that moment creates them.
To enable group sync you need to:
- set teamcity.options.groups.synchronize=true
- add the entry to the ldap-mapping.xml

Sorry, couldn't spot it earlier.

---
Maxim

0
Comment actions Permalink

Thanks for response, but now I have a problem with group synchronization.

I've created new group (DEVS)  in TC and added to ldap-config.properties

teamcity.options.groups.synchronize=true
teamcity.groups.base=OU=DEVS
teamcity.groups.filter=(objectClass=organizationalUnit)
teamcity.groups.property.member=member


and to ldap-mapping.xml

<mapping>
   <group-mapping teamcityGroupKey="ALL_STS" ldapGroupDn="OU=DEVS,DC=ourdomain,DC=com"/>
</mapping>



This time logs shows:

[2011-05-30 15:15:27,126]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP groups started ------
[2011-05-30 15:15:27,126]   INFO -     jetbrains.buildServer.LDAP - LDAP groups mapping loaded
[2011-05-30 15:15:27,126]  DEBUG -     jetbrains.buildServer.LDAP -  Performing search in LDAP: base='OU=DEVS',  filter='(objectClass=organizationalUnit)', scope=2', attributes=[member,  mail, sAMAccountName, discomayName, distinguishedName]
[2011-05-30 15:15:27,126]  DEBUG -     jetbrains.buildServer.LDAP - LDAP  search result: : null:null:{distinguishedname=distinguishedName:  OU=DEVS,DC=ourdomain,DC=com}
[2011-05-30 15:15:27,141]  DEBUG -     jetbrains.buildServer.LDAP - Fetched groups: [
   [group:dn='OU=DEVS,DC=ourdomain,DC=com',members=[]]
]
[2011-05-30 15:32:57,050]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP groups done
[2011-05-30 15:32:57,050]   INFO -     jetbrains.buildServer.LDAP - Last  syncronization statistics: created users=0, updated users=0, removed  users=0, users in ldap=100, matched users=1, duration=63ms, errors=[]



What I'm missing ? OU isn't group per se, but it has 100 users assinged  to it and I would like to import all of them them to TC.

0
Comment actions Permalink

Daniel,

The OU is not a "group", I think the most relevant name in LDAP terminology for OUs is "division" (but I'm not 100% sure).
A group is an ordinary LDAP entry, which has its own attributes. Sometimes it is located in the same division as users, sometimes in a separate one, e.g. "CN=groups". Usually it has a separate objectClass.
I'm sure LDAP server that you use has the functionality to create the group and assign members to it.

Hope this clarifies the issue a little.

---
Maxim

0
Comment actions Permalink

I've got this yesterday and I was able to synchronized (create) some users from our ldap group.
At first I was going to import all users from OU=DEVS (they aren't in  the same group) then manually assign them to TC groups, but it looks  like proper approach is to create necessary groups in ldap then  integrate it with TC.

I have one last question about ldap. We have some developers working in  overseas office. They have different domain and different ldap server.  While integrating our source control software (svn) with 2 or more ldap  serves is simple, I'm not sure if this is possible with TC.

Question - is it possible to synchronize teamcity with two different ldap serves ?

0
Comment actions Permalink

Unfortunately not, please vote for http://youtrack.jetbrains.net/issue/TW-13465
But there is an interesting workaround, described in the issue. The feature was possible in JDK 1.5, but then was interpreted as a bug, and thus "fixed" in JDK 6.
Depending on what JDK you use, it might work or might not, but TeamCity doesn't support it explicitly.


---
Maxim

0

Please sign in to leave a comment.