ldap auth for CN=Teamcity-Cert,CN=Users,DC=domain,DC=com

I have tried every combination. So maybe I'm going about this wrong.

I created a group in Teamcity called Teamcity-Cert. Then I added members to it.

We have a rather large organization and not everyone's in the users group. AD setup similar to below.  Any help appreciated.

Domain.com-
                      |- San Francisco
                      |- St Louis
                      |-Users


teamcity.users.base=CN=users
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName
java.naming.referral=follow
java.naming.security.authentication=simple
teamcity.auth.loginFilter=[^/\\\\@]+
teamcity.options.users.synchronize=false
teamcity.users.filter=(objectClass=user)
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=false
teamcity.options.deleteUsers=false
teamcity.options.syncTimeout = 3600000

4 comments
Comment actions Permalink

Hi Kevin,

What TeamCity version do you use?

Are you able to login via LDAP? Are you looking into synchronizing TeamCity users with LDAP group?

Could you please detail the original goal and what does not work? Was teamcity-ldap.log of any help? Have you tried debug logging in there?

Have you tried the settings outlined in the typical settings section?


In the settings you included, there is no java.naming.security.principal and java.naming.security.credentials properties. Please make sure you set these.

0
Comment actions Permalink

I'm using TeamCity 7.1.2 (build 24170),

I work at a large organization. I'm using our windows domain controller for ldap.

At the moment, I can login with the setting I provided above.

My issue I believe is I have users that I need to login that are outside the CN=Users group.

Looking at the tree above as an example, I have a user that's in the OU= San\ Francisco. Searching the OU=Users doesn't let him in because he's not in that group.

I created a group under Users CN=Teamcity-Cert,CN=Users,DC=domain,DC=com and added himi to that group, but still not having any sucess.


Tried
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))

I've cleared the base and just used this.
teamcity.users.base=

but that is timing out. Very large company.

I have debuggin turned on, but all it;s saying in more lines is that auth isn't working.

If I enable teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com)), I get this

[2014-10-14 16:29:37,799]  DEBUG -     jetbrains.buildServer.LDAP - ------ Starting login sequence for user-entered login: 'USERNAME' ------
[2014-10-14 16:29:37,800]  DEBUG -     jetbrains.buildServer.LDAP - Constructed filter '(&(sAMAccountName=USERNAME)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))' from teamcity.users.login.filter=(&(sAMAccountName=USERNAME)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))
[2014-10-14 16:29:37,800]  DEBUG -     jetbrains.buildServer.LDAP - Base environment properties: {java.naming.provider.url=ldap://xx.xx.xx.xx:389/dc=domain,dc=com, java.naming.security.principal=LDAP-Teamcity}
[2014-10-14 16:29:37,800]  DEBUG -     jetbrains.buildServer.LDAP - Performing search in LDAP: base='', filter='(&(sAMAccountName=USERNAME)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))', scope=2, attributes=[sAMAccountName, distinguishedName]
[2014-10-14 16:29:37,890]  DEBUG -     jetbrains.buildServer.LDAP - LDAP search result: CN=LAST\, FIRST,CN=Users: null:null:{samaccountname=sAMAccountName: USERNAME, distinguishedname=distinguishedName: CN=LAST\, FIRST,CN=Users,DC=domain,DC=com}
[2014-10-14 16:29:37,890]   WARN -     jetbrains.buildServer.LDAP - Search in LDAP: base='', filter='(&(sAMAccountName=USERNAME)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))', scope=2, attributes=[sAMAccountName, distinguishedName] resulted in error

Otherwise it works if I comment that out and use

teamcity.users.base=CN=users

Not sure what else to try.

Thanks.

0
Comment actions Permalink

As an update, I found this article.

https://youtrack.jetbrains.com/issue/TW-7800#comment=27-564755

So I made these changes.

teamcity.users.filter=(&(objectClass=user)(|(memberOf=CN=Users,DC=DOMAIN,DC=com)(memberOf=OU=San Francisco,DC=DOMAIN,DC=com)))
teamcity.users.base=

I get this log entry, but it just sits there and the login spins.


[2014-10-14 20:22:49,315]  DEBUG -     jetbrains.buildServer.LDAP - ------ Starting login sequence for user-entered login: 'testldap' ------
[2014-10-14 20:22:49,315]  DEBUG -     jetbrains.buildServer.LDAP - Constructed filter '(sAMAccountName=testldap)' from teamcity.users.login.filter=(sAMAccountName=testldap)
[2014-10-14 20:22:49,315]  DEBUG -     jetbrains.buildServer.LDAP - Base environment properties: {java.naming.security.authentication=simple, java.naming.referral=follow, java.naming.provider.url=ldap://xx.xx.xx.xx:389/dc=DOMAIN,dc=com, java.naming.security.principal=LDAP-Teamcity}
[2014-10-14 20:22:49,315]  DEBUG -     jetbrains.buildServer.LDAP - Performing search in LDAP: base='', filter='(sAMAccountName=testldap)', scope=2, attributes=[sAMAccountName, distinguishedName]
[2014-10-14 20:22:49,402]  DEBUG -     jetbrains.buildServer.LDAP - LDAP search result: CN=Ldap\, Test,OU=San Francisco: null:null:{samaccountname=sAMAccountName: testldap, distinguishedname=distinguishedName: CN=Ldap\, Test,OU=San Francisco,DC=DOMAIN,DC=com}

0
Comment actions Permalink

Kevin,

This should work to allow only users form the CN=Teamcity-Cert,CN=Users,DC=domain,DC=com LDAP group to login:

teamcity.users.base=CN=Users
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Teamcity-Cert,CN=Users,DC=domain,DC=com))

And this should work allowing to login any users:

teamcity.users.base=

teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)


"teamcity.users.filter" property is related to the users synchornization, so you do not need it when solving login issues.

When you note that something does not work, please include entire LDAP log. It seems that your previous snippets were missing final lines.
If the "login spins" pleae take a couple of the server thread dumps and attach them tgether with the log. You can send the logs archived via email if you cannot post them in public.

Actually, I would recommend to upgrade to the latest TeamCity (8.1.5). This will not only gets you many new features, but also contains lots of fixes, inclkuding LDAP-related.
0

Please sign in to leave a comment.