Trying to get LDAP in TC4.5 (8909) setup

Just installed the 8909 (we have an enterprise license) release and decide that I'd try to switch us over to using LDAP.
What I've done so far (following the LDAP Integration instructions):
1. Downloaded the ldap-login.jar for 4.5 and copied it over the existing one.
2. Updated the main-config.xml to use <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" />
3. Copied the ldap-config.properties.dist to ldap-config.properties
4. Uncommented the following lines and added our ldap server name

//xxxxx.idtdna.com:389/CN=Users,DC=IDTDNA,DC=Com
java.naming.security.authentication=simple java.naming.referral=follow


I figured at this point I should at least be able to login to TC. So I restarted the server.
I was prompted to login and set up an admin. So I entered my username and password and recieved an error saying that the login failed becauce the username and password was incorrect.

So my question is what am I missing at this point?

17 comments
Comment actions Permalink

Hi!

First, it seems we did not update the doanload page properly: 8909 build does not need a separate download of ldap-plugin.jar (we just forget to remove the note that concerned previous EAP release) - sorry for that.

So, you will need to restore the ldap-login.jar from 8909 build.

Does logs\teamcity-server.log contain any relevant information aout the failure?

Also, you can enable debug logging for LDAP functionality by uncommenting relevant parts of conf\teamcity-server-log4j.xml (appender and category) logs\teamcity-ldap.log will then get relevant information that your can either try to interpret yourself or send to us.

In the described case, you will probably need to perform login using your full name, like "IDTDNA\username".

This can be achieved either by setting
teamcity.auth.formatDN=IDTDNA\\$login$
in ldap-config.properties and using "username" in TeamCIty login form, or
allow to use any login name by setting:
teamcity.auth.loginFilter=.*
and using "IDTDNA\username" in TeamCIty login form.
In the latter case if you want to use LDAP synchronization you will also need to use "teamcity.users.login.capture" property to save appropriate username in TeamCity.

0
Comment actions Permalink

Restored dap-login.jar
Added teamcity.auth.formatDN=IDTDNA\\$login$
Rechecked with the network admin, he says that the url is wrong and that it should be LDAP://xxxxx.idtdna.com:389/CN=User Accounts,DC=IDTDNA,DC=COM
But the space in "User Accounts" will cause an exception (from the ldap.log)
javax.naming.NamingException: Cannot parse url: Accounts,DC=IDTDNA,DC=COM [Root exception is java.net.MalformedURLException: Invalid URI: Accounts,DC=IDTDNA,DC=COM]

0
Comment actions Permalink

Try to use ldap://xxxxx.idtdna.com:389/CN=User%20Accounts,DC=IDTDNA,DC=COM

Also, you can try to use
as java.naming.provider.url=ldap://xxxxx.idtdna.com:389/DC=IDTDNA,DC=COM
and if you need users synchronization, set
teamcity.users.base=CN=Program Data

0
Comment actions Permalink

ldap://xxxxx.idtdna.com:389/CN=User%20Accounts,DC=IDTDNA,DC=COM
Worked perfectly.

Now I'm trying to get synching up and working.
So far it's not going well. Here is the snippet from the log.

------ Sync with LDAP users started ------
[2009-04-23 11:36:55,664]  DEBUG - er.serverSide.ldap.LdapManager - Searching users in 'CN=User Accounts,DC=idtdna,DC=com' DN with filter'(objectClass=user)'
[2009-04-23 11:36:55,664]  DEBUG - er.serverSide.ldap.LdapManager - Fetched users: empty
[2009-04-23 11:36:55,664]   INFO - er.serverSide.ldap.LdapManager - Sync with LDAP users done
[2009-04-23 11:36:55,664]   INFO - er.serverSide.ldap.LdapManager - Sync with LDAP groups started...
[2009-04-23 11:36:55,664]  DEBUG - er.serverSide.ldap.LdapManager - Searching groups in 'OU=Miscellaneous Accounts' DN with '(objectClass=group)' filter
[2009-04-23 11:36:55,664]  DEBUG - er.serverSide.ldap.LdapManager - Fetched groups: empty
[2009-04-23 11:36:55,664]   WARN - er.serverSide.ldap.LdapManager - Error during groups synchronization: Cannot find LDAP group 'CN=Developers,DC=IDTDNA,DC=Com' corresponding to TeamCity user group All Users {group id=ALL_USERS_GROUP}.
[2009-04-23 11:36:55,664]   INFO - er.serverSide.ldap.LdapManager - Sync with LDAP groups done



0
Comment actions Permalink

Hi,

Please make sure you have specified the filter correctly, and the principal has permissions to read the entries from LDAP.
Do you have the same result when browsing LDAP with other tools (e.g. http://www.jxplorer.org/)?

Thanks.

0
Comment actions Permalink

The principle has permission to read the ldap.


This looks to be a problem with how ldap is searched.
ldap:
User Accounts
  Coralville
    IS
      Application Development
      Objects Infrastructure
      Reporting

I need to include users in Application Development and Objects Infrastructure that are in a given group.
So I have:

teamcity.users.base=OU=IS,OU=Coralville,OU=User Accounts,DC=idtdna,DC=com

teamcity.users.filter=(&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SG_Development,OU=Security Groups,OU=Exchange,OU=Groups,DC=idtdna,DC=com))

Unfortunetely this will only look at the ou=IS level and will not drop into the branches.
How do I get TC to search the branches? or how do I get the filter to include the sub tree?



 

0
Comment actions Permalink

> The principle has permission to read the ldap.
OK, just checking.


> teamcity.users.base=OU=IS,OU=Coralville,OU=User Accounts,DC=idtdna,DC=com
> teamcity.users.filter=(&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SG_Development,OU=Security Groups,OU=Exchange,OU=Groups,DC=idtdna,DC=com))

> Unfortunetely this will only look at the ou=IS level and will not drop into the branches.
> How do I get TC to search the branches? or how do I get the filter to include the sub tree?
The search is always performed with a subtree scope, so the problem should be somewhere else.


Could you please try teamcity.users.base with 'OU=Application Development' and 'OU=Objects Infrastructure' and tell me if the search succeeded?
All properties seem to be set right and it's hard to say what's wrong without additional digging. What LDAP server do you use? Are there referral entries in LDAP tree?
0
Comment actions Permalink

using 'OU=Application Development' and 'OU=Objects Infrastructure' did not work either.
I tried to use a simplified search so that I could then start building up th complexity until I could find where it breaks.
But using even a simple setting like below is failing
teamcity.users.base=OU=Application Development,OU=IS,OU=Coralville,OU=User Accounts,DC=idtdna,DC=com
teamcity.users.filter=(objectClass=user)


[2009-04-29 08:51:52,709]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP users started ------
[2009-04-29 08:51:52,709]  DEBUG -     jetbrains.buildServer.LDAP - Searching users in 'OU=Application Development,OU=IS,OU=Coralville,OU=User Accounts,DC=idtdna,DC=com' DN with filter='(objectClass=user)'
[2009-04-29 08:51:52,709]  DEBUG -     jetbrains.buildServer.LDAP - Fetched users: empty
[2009-04-29 08:51:52,709]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP users done


I can do this search with the priciple listed in the config and get the correct entries back using the free ldap browser here: http://www.ldapbrowser.com/

Ldap server: Windows 2000 Active Directory
No referal entries.


0
Comment actions Permalink

Any more ideas on this issue?

eric

0
Comment actions Permalink

Eric,

Sorry, so far I couldn't reproduce the problem and don't have any idea what can cause it.
I'll let you know when have anything.

Maxim

0
Comment actions Permalink

Eric,

Please note that 'teamcity.groups.base' should be relative to already supplied 'java.naming.provider.url'.
That is if you have
java.naming.provider.url=ldap://xxxxx.idtdna.com:389/CN=User%20Accounts,DC=IDTDNA,DC=COM

You should probably use
teamcity.users.base=OU=Application Development,OU=IS,OU=Coralville

Is this the case?

Could you please provide your full "ldap-config.properties" file?

0
Comment actions Permalink

I've tried that as well as a number of other combinations.
Attached is the file and a pic of the ldap section in question.

I ultimitly want to reteive users based on a given security group.
I can get the following search to work in ldap browsers, and this is what I would like to use:
     SearchDN: OU=User Accounts,DC=idtdna,DC=com
     Filter: (&(objectCategory=Person)(memberOf:1.2.840.113556.1.4.1941:=CN=SG_Development,OU=Security Groups,OU=Exchange,OU=Groups,DC=idtdna,DC=com))
     SearchScope: sub-tree level



Attachment(s):
ldap.bmp
ldap-config.properties
0
Comment actions Permalink

Eric,

Have you tried the settings as below?
java.naming.provider.url=LDAP://CODC01.idtdna.com:389/OU=User%20Accounts,DC=IDTDNA,DC=COM
teamcity.users.base=OU=Application Development,OU=IS,OU=Coralville

(note OU for User%20Accounts and changed order of the users.base).

Can you please provide the logs for this configuration?

We have created an issue to address this problem: http://www.jetbrains.net/tracker/issue2/TW-8246
Please watch it to be notified on updates. Let's continue to gather information on the issue there.

0
Comment actions Permalink

Yes, I had tried that.
Here is the log for those settings:

[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - Reloading LDAP properties
[2009-05-19 12:55:31,821]  DEBUG -     jetbrains.buildServer.LDAP - Base environment properties: {java.naming.security.authentication=simple, java.naming.provider.url=LDAP://CODC01.idtdna.com:389/CN=User%20Accounts,DC=IDTDNA,DC=COM, java.naming.security.principal=xxxxxxxx@idtdna.com, java.naming.referral=follow}
[2009-05-19 12:55:31,821]  DEBUG -     jetbrains.buildServer.LDAP - Custom properties: {}
[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - LDAP properties loaded
[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP users started ------
[2009-05-19 12:55:31,821]  DEBUG -     jetbrains.buildServer.LDAP - Searching users in 'OU=Application Development,OU=IS,OU=Coralville' DN with filter='(objectClass=user)'
[2009-05-19 12:55:31,821]  DEBUG -     jetbrains.buildServer.LDAP - Fetched users: empty
[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP users done
[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP groups started ------
[2009-05-19 12:55:31,821]   INFO -     jetbrains.buildServer.LDAP - LDAP groups mapping loaded
[2009-05-19 12:55:31,821]  DEBUG -     jetbrains.buildServer.LDAP - Searching groups in 'OU=Security Groups,OU=Exchange,OU=Groups,DC=idtdna,DC=com' DN with '(objectClass=group)' filter
[2009-05-19 12:55:31,837]  DEBUG -     jetbrains.buildServer.LDAP - Fetched groups: empty
[2009-05-19 12:55:31,837]   WARN -     jetbrains.buildServer.LDAP - Error during groups synchronization: Cannot find LDAP group 'CN=SG_Development,DC=IDTDNA,DC=Com' corresponding to TeamCity user group Developers {key=DEVELOPERS}.
[2009-05-19 12:55:31,837]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP groups done
[2009-05-19 12:55:31,837]   INFO -     jetbrains.buildServer.LDAP - Last syncronization statistics: created users=0, updated users=0, removed users=0, users in ldap=0, matched users=0, duration=16ms, errors=[Error during groups synchronization: Cannot find LDAP group 'CN=SG_Development,DC=IDTDNA,DC=Com' corresponding to TeamCity user group Developers {key=DEVELOPERS}.]



0
Comment actions Permalink

Eric,

I assume the result is the same if you change CN=User%20Accounts to OU=User%20Accounts in java.naming.provider.url ?


0
Comment actions Permalink

Despite the fact that you pointed out the difference, I did not make the change.
Once I did, everything worked.

Thank you for your help and patience
Eric

0
Comment actions Permalink

Great!
Hope you'll enjoy LDAP integration :)

0

Please sign in to leave a comment.