Manual user migration from NTLM to LDAP

Hi,

I recently migrated my Teamcity setup from using built-in authentication to authenticating against our Active Directory using the NTLM authenticator.  This, of course, meant that the existing users became wiped out.  I then started looking to see if it's possible for TC to automatically pull in the user details (email address, real name, etc.) out of AD, and I came across TW-6002 wherein Yegor says "you're better off using LDAP authenticaiton for that than using NTLM."  He also pointed me to TW-1964 regarding the request for a user migration interface, and I also looked at http://devnet.jetbrains.net/thread/275653 regarding a possible manual migration method.

So, what I want to do is change the existing users where USERS.auth_type='NTDomainLoginModule' so that they are going to authenticate against LDAP.  My question is, what should the realm be set to?  I can see that I need to change the auth_type to be 'LDAPLoginModule', and that for the former locally-administered users the realm was NULL, but what should it be for LDAP-authenticated users?  My thought is that the conversion seems to consist of:

  1. Shut down Teamcity
  2. Change TC so that it uses LDAP authentication rather than NTLM.  Make sure that properties in ldap-config.properties are correct.
  3. Update the USERS table as follows:

    update USERS
    set auth_type='LDAPLoginModule',
        realm='?????'
    where auth_type='NTDomainLoginModule;

    commit;



    4.  Restart Teamcity.


    Also, is there a way to specify that the Subversion username associated with a particular user is their login name in lowercase?

    Thanks,
    Mark
    Is there anything I'm missing?

6 comments

Mark,

I'd recommend to try this process on a test copy of your server first.
e.g. you can need some time fine-tuning LDAP settings and that can actually affect how the usernames are stored in the database.

So you can setup LDAP the way you want and then just compare the entries in the database for the LDAP users and the ones you have from domain authentication.

"realm" is actually not used (and we need to drop it), but it's safer to set it into whatever you will see in the users created from LDAP.

> Also, is there a way to specify that the Subversion username associated with a particular user is their login name in lowercase?

If you have that name stored in LDAP in the form you need it - then this can be done via properties (see at the bottom of default lda-config.properties file).
Otherwise there is no easy to do that, pleae vote for the related request.

0

Thanks for the reply.  I finally had a chance to revisit this and was able to successfully convert a user in a test environment (for those who might look at this in the future, for LDAP authentication the "Realm" field is populated with "LDAP").  I do want to clarify two things regarding the Version Control Username, though.  If the username in e.g. Subversion is the same as the username in Teamcity, do I need to specifically define the "Version Control Username" at all, or will Teamcity automatically match them up?  Second, does Teamcity perform username matching in a case-insensitive manner, or is it case-sensitive?

Thanks very much for your help,
Mark

0

Mark,

If the username in e.g. Subversion is the same as the username in Teamcity, do I need to specifically define the "Version Control Username" at all, or will Teamcity automatically match them up?

You need to define the VCS username. You might consider voting for TW-9616 in this regard.

Second, does Teamcity perform username matching in a case-insensitive manner, or is it case-sensitive?


It is case-insensitive AFAIK. Is this what you expect?

0

Case-insensitivity is exactly what I would expect, so thank you!  I believe I have all I need now.

0

Just as a final follow-up: I made this change in TeamCity this morning and it's working well. It was simply a matter of updating the auth_type and realm for the users attached to the NTLM authtype as I said above.  Thanks for the help!

0

Mark,

Thank you for the follow ups!

0

Please sign in to leave a comment.