User Authentication Config Question (Create Accounts + AD Pass)

Hi,

 

Is there a way to manually create accounts (or. limit who can login) while still requiring Active Directory passwords for those who do have accounts setup?

 

The way I’ve read the docs I have a choice between:



Default Authentication – create accounts by admin, but set password manually as well


Windows Domain Authentication or LDAP Authentication – passwords are pulled from AD, but any user who has an AD record can login and create account on the fly.

 

Is there a only-selected-users-can-login-and-are-required-AD-passwords-to-do-so configuration?

 

Thanks a bunch.

4 comments

Hi Ilya,

Manual user creation is disabled for LDAP and NT.
But our doc isn't exactly correct, because you can config LDAP plugin so that only limited number of users could authenticate. E.g. you can config the search filter to accept only users with certain attribute value in LDAP.
Is this approach suitable for you?


---
Maxim

0

Thanks, that sounds ok-ish since it would require me bugging sysadmin every time I want to allow a new person to login to TeamCity, but it does sound like it solves the problem of requiring network password to login rather than keeping 2 sets of them without any ability to enforce policies on complexity, length, etc.

Weird, are all other companies out there allow anyone in AD list like HR, etc to login to their build servers? Strange that these are the only options available.

Anyway, do you know by any chance if filters can be setup on if user is a member of a certain group? I highly doubt they'll be happy with me requesting AD schema modification to add a new teamcityallowed attribute, but bugging them with please-add-this-user-to-this-special-group sounds like more of a compromise.

Thanks.

0

Hi Ilya,

> Weird, are all other companies out there allow anyone in AD list like HR, etc to login to their build servers? Strange that these are the only options available.
I think in most companies HR users and etc have the access to TeamCity, e.g. to download artifacts, but are very limited in permissions.

> Anyway, do you know by any chance if filters can be setup on if user is a member of a certain group? I highly doubt they'll be happy with me requesting AD schema modification to add a new teamcityallowed attribute, but bugging them with please-add-this-user-to-this-special-group sounds like more of a compromise.
Yes, LDAP filters support more or less rich syntax. See for example: http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx

0

Please sign in to leave a comment.