LDAP configuration

Hi. I've read ll the documentation and tried a whole bunch of configuration permutations prior to coming here so bear with me.

Can someone please help me figure out LDAP settings for TeamCity?

We have Windows 2008 AD Servers, I am running TeamCity 8.1.5 on Windows Server 2008 R2 (64 bit)

Here is my AD structure:

mycompany.com
      OU=Our Security Groups
           OU=ALM
                Group=CI_Users            This group has all the users I want to sync with TeamCity as users
                Group=CI_Admins         This group has all the users I want to sync with TeamCity as admins
 

I want to synchronize all the users in the CI_Users group. The actual location for those users are all over the map in our domain (don't ask I didn't set it up and I can't change it, although I do have full reign over the ALM OU).

Here is what I've tried for configuration (that seemed to make the most progress):

java.naming.provider.url=ldap://server.mycompany.com:389/OU=ALM,OU='Our Security Groups',DC=mycompany,DC=com

java.naming.security.principal=userwithrightstobrowseAD
java.naming.security.credentials=password
java.naming.security.authentication=simple
java.naming.referral=follow

# Synchronize both users and groups. Remove obsolete TeamCity users, but don't create new ones automatically.
teamcity.options.users.synchronize=true
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=false
teamcity.options.deleteUsers=true
teamcity.options.syncTimeout=3600000

# Search users from the root: 'DC=example,DC=com'.
teamcity.users.base=CN=CI_Users
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)

# Search groups from 'CN=groups,DC=example,DC=com'.
#teamcity.groups.base=OU=ALM
#teamcity.groups.filter=(objectClass=group)
#teamcity.groups.property.member=member


I get this error when I configure it this way:
Fatal error while LDAP users synchronization: Operations error (Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=CI_Users')

org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'CN=CI_Users'


I've tried a lot of different tweaks but none seem to work. But I know LDAP works because if I don't specify a specific OU and just the base (mycompany.com) it synchronizes that whole dang AD tree (and takes like 45 minutes).

I'm SURE someone has AD set up like this and sync'd with TeamCity- can someone help me out?

3 comments
Comment actions Permalink

Hi Owen,

java.naming.provider.url points to the Domain Component without specific containers:

java.naming.provider.url=ldap://server.mycompany.com:389/DC=mycompany,DC=com

teamcity.users.base points to organizational units:
teamcity.users.base=OU=ALM,OU=Our Security Groups

with no quotes.

teamcity.users.filter filters specific users.


The recommended approach is to leave teamcity.users.base empty (or comment it) and configure filter like this:
teamcity.users.filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=TeamCity Users,OU=Accounts,DC=domain,DC=com))
For more details please see the related issue - https://youtrack.jetbrains.com/issue/TW-7800#comment=27-564755.
0
Comment actions Permalink

Hey I got the similar error when I use the group name 

my group name is .is-developers . So should I use the string as below 

teamcity.users.base=OU=DevGroup,OU=Our Developers Group

 

I could not able to resolve my below error . I tried all the above options 

2019-09-20 15:12:05,158] INFO - jetbrains.buildServer.LDAP - Starting synchronization session
[2019-09-20 15:12:05,158] INFO - jetbrains.buildServer.LDAP - Fetching remote users and groups
[2019-09-20 15:12:05,192] WARN - jetbrains.buildServer.LDAP - Error while retrieving LDAP users, skipping users synchronization: LDAP search operation returned an error while retrieving users. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=svc_TCLDAP,DC=cinci,DC=paycor,DC=com', full DN is recommended) and 'java.naming.security.credentials' property. Set them to empty values to use anonumous LDAP access. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
[2019-09-20 15:12:05,192] WARN - jetbrains.buildServer.LDAP - Skipping groups synchronization as user synchronization failed with an error
[2019-09-20 15:12:05,192] INFO - jetbrains.buildServer.LDAP - Last synchronization statistics: user sync enabled=false, created users=0, updated users=0, deleted users=0, remote users=0, matched users=0, group sync enabled=false, created groups=0, updated groups=0, deleted groups=0, remote groups=0, matched groups=0, duration=34ms, errors=2, errors: [Error while retrieving LDAP users, skipping users synchronization: LDAP search operation returned an error while retrieving users. While initializing LDAP connection. Wrong credentials specified in the LDAP configuration? Check 'java.naming.security.principal' property (current value: 'CN=svc_TCLDAP,DC=cinci,DC=paycor,DC=com', full DN is recommended) and 'java.naming.security.credentials' property. Set them to empty values to use anonumous LDAP access. Original error: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839], Skipping groups synchronization as user synchronization failed with an error]

0
Comment actions Permalink

Hi Ravi,

 

your error message is very specific, and it is that teamcity is failing to authenticate with ldap. Please, as mentioned in the error, check that your ldap credentials are properly set up in the ldap properties, as well as that the user set in the properties files has rights to access the AD info.

0

Please sign in to leave a comment.