can't find any user in mapped groups

Hi, All. I'm using TeamCity 5.1, Open Ldap Server 2.4.21 and java version "1.6.0_20"(JDK),  Team City can find and authorize my users well, group mapping works well, but users whitch belong to some groups in LDAP, belong only to All Users group in TeamCity.
Details:
----------------------------------------------------------------------------------
result of ldapsearch of two test groups:
----------------------------------------------------------------------------------
# svn_ro, Groups, auth.test.ru
dn: cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru
cn: svn_ro
gidNumber: 2006
objectClass: posixGroup
memberUid: tester
memberUid: robot

# svn_rw, Groups, auth.test.ru
dn: cn=svn_rw,ou=Groups,dc=auth,dc=test,dc=ru
cn: svn_rw
gidNumber: 2007
objectClass: posixGroup
memberUid: someusers
----------------------------------------------------------------------------------
mapping:
<!DOCTYPE mapping SYSTEM "ldap-mapping.dtd">
<mapping>
<group-mapping teamcityGroupKey="SVN_RO" ldapGroupDn="cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru"/>
<group-mapping teamcityGroupKey="SVN_RW" ldapGroupDn="cn=svn_rw,ou=Groups,dc=auth,dc=test,dc=ru"/>
</mapping>
----------------------------------------------------------------------------------
part of ldap-config.properties
java.naming.provider.url=ldap://localhost:389/dc=auth,dc=test,dc=ru
teamcity.groups.base=ou=Groups
teamcity.groups.filter=(objectClass=posixGroup)
teamcity.groups.property.member=memberUid
----------------------------------------------------------------------------------
no erros in Team City logs.

Thanks  in advance

18 comments

Hi Gregory,

Probably the users can't be mapped because TeamCity username and LDAP username differ.
Please turn on debug logging and try to sync again. teamcity-ldap.log file should then contain the details why certain users were not added to the group.


---
Maxim

0

part of teamcity-ldap.log:
------------------------------------
[2010-07-09 15:11:21,420]   INFO -     jetbrains.buildServer.LDAP - Cannot match member 'tester' of LDAP group 'cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru' with LDAP user or group.
[2010-07-09 15:11:21,420]   INFO -     jetbrains.buildServer.LDAP - Cannot match member 'robot' of LDAP group 'cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru' with LDAP user or group.
[2010-07-09 15:11:21,420]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP groups done
[2010-07-09 15:11:21,420]   INFO -     jetbrains.buildServer.LDAP - Last syncronization statistics: created users=0, updated users=0, removed users=0, users in ldap=4, matched users=3, duration=24ms, errors=[]

part of ldap-config.properties:
-------------------------------------------
teamcity.users.base=ou=Users
teamcity.users.filter=(objectClass=posixAccount)
teamcity.users.username=uid

teamcity.groups.base=ou=Groups
teamcity.groups.filter=(objectClass=posixGroup)
teamcity.groups.property.member=memberUid

for example user tester:
LDAP:
uid=tester,ou=Users,dc=auth,dc=test,dc=ru,

Group:
# svn_ro, Groups, auth.test.ru
dn: cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru
cn: svn_ro
gidNumber: 2006
objectClass: posixGroup
memberUid: tester
memberUid: robot

TeamCity user tester exist, it's create automaticly on first log on.

Why app can't match TeamCity  user and ldap user?

0

Gregory,

Users are matched via username. What is TeamCity username of 'tester' and 'robot'?

UPD: one more question: are 'robot' and 'tester' present among fetched users?

---
Maxim

0

tester and robot, I suppose.
I loggin from web interface opne time by tester and 1 time by robot with theys LDAP credentials, after that, I can find they in adminitration menu with fetched Full name and e-mail addres(LDAP attributes)

teamcity.users.property.displayName=cn
teamcity.users.property.email=mail

users.png

tester1.png

0

OK. Are they present in the list of fetched users?

0

Sorry, but, when I can find that list? What is that?

0

In the teamcity-ldap.log. All data fetched from LDAP is dumped into the log.

0

mb that

Last synchronization summary:       found 4 users in LDAP,             4 are matched with TeamCity users.

>after what i create a new LDAP user, and include in the svn_ro group.

[2010-07-09 16:46:46,823]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP users started ------
[2010-07-09 16:46:46,917]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP users done
[2010-07-09 16:46:46,917]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP groups started ------
[2010-07-09 16:46:46,918]   INFO -     jetbrains.buildServer.LDAP - LDAP groups mapping loaded
...
[2010-07-09 16:46:46,968]   INFO -     jetbrains.buildServer.LDAP - Cannot match member 'tester' of LDAP group 'cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru' with LDAP user or group.
[2010-07-09 16:46:46,968]   INFO -     jetbrains.buildServer.LDAP - Cannot match member 'robot' of LDAP group 'cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru' with LDAP user or group.
[2010-07-09 16:46:46,968]   INFO -     jetbrains.buildServer.LDAP - Cannot match member 'tester2' of LDAP group 'cn=svn_ro,ou=Groups,dc=auth,dc=test,dc=ru' with LDAP user or group.
[2010-07-09 16:46:46,968]   INFO -     jetbrains.buildServer.LDAP - Sync with LDAP groups done
[2010-07-09 16:46:46,968]   INFO -     jetbrains.buildServer.LDAP - Last syncronization statistics: created users=0, updated users=0, removed users=0, users in ldap=5, matched users=4, duration=145ms, errors=[]

Last synchronization summary:       found 5 users in LDAP,             4 are matched with TeamCity users.

>login with ldap credentials
Last synchronization summary:       found 5 users in LDAP,             5 are matched with TeamCity users.

0

i can't enable DEBUG loggin, pfff

after deleting 2 lines(251 and 253) in file  .BuildServer/config/teamcity-server-log4j.xml

  <category name="jetbrains.buildServer">
    <priority value="DEBUG"/>
    <appender-ref ref="ROLL"/>
  </category>

restart the server. But nothing thange in teamcity-ldap.log, it's looks like DEBUG  mode was not enabled.

Another thing taht I cath:
in log file
Last syncronization statistics: created users=0, updated users=0, removed users=0, users in ldap=5, matched users=5, duration=31ms, errors=[]

created users, updated users, removed users counters never changes, users in ldap, matched users shows true, but auth from ldap work and I get user attributes like Full Name and e-mail.

0

Hello, I hope, you have spent good days off.
After enabling DEBUG log, I make some tests, add new user in LDAP citytester and log with hist credentials in tiamcity and make sync manualy.
part of teamcity-ldap.log in attachment.



Attachment(s):
ldap.log.zip
0

Hi Gregory,

Thanks, I hope you had a nice weekend as well =)
Sorry I forgot about one thing. The member property (in LDAP) should contain full DN of the entry, not the just the username. That's why fetched user data can't be matched with group members.
I'll update the documentation.

Sorry for the inconvenience.

---
Maxim

0

Thanks, but maybe there is ability to change somthing in teamcity config to make compare of member attribute from LDAP and username from teamcity goes well?

0

Gregory,

I suppose it's not possible out-of-the-box. I'll try to build a custom plugin jar.

0

Hi Gregory.

Please try this one.



Attachment(s):
ldap-login.jar
0

Thanks, Maxim, new ldap-login.jar works well.
You solve that problem.

0

Is this required even in the latest 6.5.3 release? Our OpenLDAP does not give any field in groups that contain the full DN of a user.

0

and I solved it by setting distinguishedName to uid. That could definatly be documented better...

0

Please sign in to leave a comment.