Pulling all users through LDAP into TeamCity

LDAP sync is failing with below entries in teamcity-ldap.log (debug-enabled):

...

Got 40 users and 1 groups

Error during group synchronization: Remote entry retrieved as a member of a group does not match any known user or group. Entry: 'CN=uslsu01,OU=Users,OU=Europe Middle East Africa,DC=ca,DC=com'. Synchronized group: '[remoteId='CN=engineering,OU=Groups,OU=North America,DC=ca,DC=com', groupKey=ALL_USERS_GROUP', name='null', description='null', memberIds=9]'

...

Last synchronization statistics: created users=0, updated users=0, deleted users=0, remote users=40, matched users=0, created groups=0, updated groups=0, deleted groups=0, remote groups=1, matched groups=0, duration=97026ms, errors=[Error during group synchronization: Remote entry retrieved as a member of a group does not match any known user or group. Entry: 'CN=uslsu01,OU=Users,OU=Europe Middle East Africa,DC=ca,DC=com'. Synchronized group: '[remoteId='CN=engineering,OU=Groups,OU=North America,DC=ca,DC=com', groupKey=ALL_USERS_GROUP', name='null', description='null', memberIds=9]',

...

Our requirement is to pull all users from a group named 'engineering' in our Active Directory into the ALL_USERS_GROUP in TeamCity.

Example: uslsu01 (mentioned in above logs) should get added to the ALL_USERS_GROUP' group.

ldap-mapping.xml contains below entry:

ldap <group-mapping teamcityGroupKey="ALL_USERS_GROUP" ldapGroupDn="CN=engineering,OU=Groups,OU=North America,DC=ca,DC=com"/>

ldap-config.properties contains below entries:

java.naming.provider.url=ldap://#####/DC=ca,DC=com

java.naming.security.principal=#####
java.naming.security.credentials=#####
teamcity.users.base=CN=users
teamcity.users.username=sAMAccountName

java.naming.referral=follow
java.naming.security.authentication=simple
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.options.groups.synchronize=true
teamcity.groups.filter=(objectClass=group)
teamcity.options.createUsers=true
teamcity.options.deleteUsers=false
teamcity.options.syncTimeout = 3600000
teamcity.groups.property.member=member
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

Any entry in the ldap-config.properties file that I am providing incorrectly, or am missing?

3 comments
Comment actions Permalink
You need to change teamcity.users.base property.
At the moment it points to top-level Users container, so TeamCity cannot find any user accounts, because they are stored in other organizational units.
You can leave this option empty to search user accounts trough whole domain, set specify some base OU, for example

teamcity.users.base=OU=North America

0
Comment actions Permalink

I added teamcity.users.base=OU=North America to the below configurations.

I still get the same error.

Error during group synchronization: Remote entry retrieved as a member of a group does not match any known user or group. Entry: &apos;CN=uslsu01,OU=Users,OU=Europe Middle East Africa,DC=ca,DC=com&apos;. Synchronized group: &apos;[remoteId=&apos;CN=engineering,OU=Groups,OU=North America,DC=ca,DC=com&apos;, groupKey=&apos;ALL_USERS_GROUP&apos;, name=&apos;null&apos;, description=&apos;null&apos;, memberIds=9]&apos;

0
Comment actions Permalink

From Michael Kuzmin..

'Actually, the error message lists objects that cause the issue.

In your example this is CN=uslsu01,OU=Users,OU=Europe Middle East Africa,DC=ca,DC=com

This is an account outside of North America organizational unit.

So you'll need to set teamcity.users.base option empty, and let it searching user accounts in whole domain.'

Above suggestion worked.

I set 'teamcity.users.base=' and then users in the Engineering group got added to TeamCity.

Thanks, Michael!!

0

Please sign in to leave a comment.