Multiple LDAP user OU's

I have users listed across multiple OU's.  I just configured Nexus Professional's LDAP plugin and was forced to specify a common superset OU that pulled in users that I wasn't interested in.  This wasn't an optimal solution but it works.  Is this acceptable configuration for TeamCity LDAP as well?


Here's an example to illustrate:




OU=organization A,OU=XYZ Companies,OU=Corporate
OU=organization B,OU=XYZ Entities,OU=ABC,OU=Corporate
OU=Users,OU=organization C,OU=DEF,OU=Corporate

Since they all share "OU=Corporate", I was able to specify that as a base DN and obtain the  correct users.

Should this work?  It's hard to evaluate what the problem is by only examining LDAP logging output, so I don't know if this is the issue or if it's something else.

2 comments
Comment actions Permalink

hi, Leon

I have come across the same issue like you. so far, TCv4.55, 5.0 doesn't support multi OU query for LDAP users.

http://www.jetbrains.net/devnet/message/5251242#5251242


Leon, you can try the below,

1, try to please LDAP server(AD) administrator to move them to the same group, (I have discussed it with our LDAP administrator, the answer is "no", boz other many system use it)

2, try to add a new objectClass to user object(LDAP administrator can do it, maybe, there are many objectClass on current user object, you can let him to create a new, and extend current objectClass, so, it won't affect other any system ), maybe, it is "tcPerson", then, you can configure the info below in your ldap-config.properties

... ...

### MANDATORY SETTINGS ###
# The credentials to use when browsing LDAP for synchronization purposes.
# The user must have read access to all LDAP entries under 'teamcity.users.base' and 'teamcity.groups.base' (see below).
java.naming.security.principal=xxxxx
java.naming.security.credentials=yyyyyyy
# The user base DN. Users are retrieved only from the LDAP subtree denoted by this DN.
# This DN should be "relative" to the root specified by "java.naming.provider.url".
# The search will be performed in LDAP subtree denoted by "java.naming.provider.url" and "teamcity.users.base" combined.
#
teamcity.users.base=OU=Corporate,dc=<yours>,dc=com

# The user search filter.
# LDAP filter string to search for all users.
teamcity.users.filter=(objectClass=tcPerson)

....

best regards,

James


... ...

0
Comment actions Permalink

Hi,

I have the exact same issue. However i'm running TC 6.5.

It seems like the user search is not 'recursive'. if I set my user base dn to:

teamcity.users.base=ou=Users

and I have many OUs underneath the Users OU, it won't go down to those OUs to search for the user.

If my account resides in ou=USEROU1,ou=Users, I get an ldap login error:

cn=useraccount doesn't exist in ou=Users.

I have many users on different OUs -- maybe on 6.5 there's a way to specify multiple user base DNs? I tried separating them with semicolon and space but no dice.

any clues?

0

Please sign in to leave a comment.