How can I map LDAP usernames back to TeamCity usernames?

My TeamCity usernames are formatted <firstname.lastname>.  My Active Directory usernames are formatted <Domain\firstname.lastname>.  I enabled LDAP Authentication yesterday, and was able to successfully authenticate with AD.  However, I then had no rights within TeamCity (not even project viewer).

I would rather not synchronize AD usernames or groups with TeamCity.  What I would like to do, if possible, is have the users enter their usernames as either <Domain\firstname.lastname> or just <firstname.lastname>, and configure TeamCity to use AD for authentication, but then map that username back to their existing TeamCity user accounts (with the same name) so that the TeamCity groups and roles I've already created will apply.

I've pasted what I have in my configuration files to this point (editing out the server and domain names).

ldap-config.properties:

java.naming.provider.url=ldap://<servername>.<domainname>:3268/CN=<snip>,DC=<snip>,DC=<snip>,DC=net
teamcity.auth.formatDN=uid=$login$,
teamcity.auth.loginFilter=US\\\\\\S+
teamcity.users.login.filter=.+
teamcity.users.login.capture=US\\\\(.*)
teamcity.options.users.synchronization=false
teamcity.options.groups.synchronize=false


[end of file]

main-config:

<?xml version="1.0" encoding="UTF-8"?>
<server rootURL="http://<snip>">
  <db-compact>
    <scheduler hour="3" minute="0" />
  </db-compact>
  <auth-type>
    <login-module />
    <guest-login allowed="false" guest-username="guest" />
  </auth-type>
  <artifacts maxArtifactSize="300000000" />
  <report-tab title="Code Coverage" basePath="coverage.zip" />
  <report-tab title="JavaDoc" basePath="javadoc.zip" />
  <comment-transformation>
    <transformation-pattern search="((https?://|ftp://|file://|mailto:)[\w`~@#$%^&amp;*-=|\/{}()\[\];:&quot;'&lt;&gt;?\.]+(?&lt;=[^\.,;&quot;'`\)\]}]))" replace="&lt;a target=&quot;_blank&quot; title=&quot;Click to open this link in a new window&quot; href=&quot;$1&quot;&gt;$1&lt;/a&gt;" description="Links transformation" />
    <transformation-pattern search="(&#xD;?&#xA;|&#xD;)" replace="&lt;br&gt;" description="Line feed transformation" />
  </comment-transformation>
</server>
[end of file]



Any assistance would be greatly appreciated. :)

-Ryan
9 comments

Hi Ryan,

I've replied you by email. But we can continue talking here, since you've provided a little more details.
What are the existing TeamCity usernames and what are new ones? Generally teamcity.users.login.capture property was intended to convert the username to the desired format.


---
Maxim

0

The existing TeamCity usernames are formatted: Robert.Smith.
The Active Directory usernames I'm authenticating through LDAP are formatted: Mydomain\Robert.Smith

Another way of asking my question is:
If I log into TeamCity through LDAP as: MyDomain\Robert.Smith,
  and I configure the teamcity.users.login.capture file to drop the "Domain\" portion of the Active Directory username,
  will TeamCity see my username as the TeamCity user named Robert.Smith -OR- will it see me as a foreign LDAP user with no role or group assignments in TeamCity?

If the ladder is true, do I need to create new TeamCity accounts with usernames that match ActiveDirectory (MyDomain\Robert.Smith) and assign roles and groups to those accounts, or what are my options for providing roles and groups to LDAP authenticated users (keeping in mind that I don't want to synchronize users or groups from Active Directory to TeamCity)?

Thank you.

-Ryan

0

Ah, I think I understand the issue: the existing users are in one authorization schema and you want to have their permissions and settings in a new authentication schema (LDAP). Right?
Currently not (please vote for http://youtrack.jetbrains.net/issue/TW-1964), users from different schemas can't share anything.
Your options are:
- create the usergroups manually and add the users into them;
- fetch user - group connections from LDAP.


---
Maxim

0

Thank you for the prompt response, Maxim.

I now, thanks to your reply, understand that I can't assign my existing TeamCity-authenticated user permissions to the similarly named AD users.

What I still don't understand is how I can grant roles and groups to the LDAP-authenticated users.  If I create new user accounts in TeamCity named MyDomain\Robert.Smith, those will still be TeamCity-authenticated accounts, right?  

How can I assign LDAP-authenticated users to my existing roles and groups?

If this isn't possible, how do I go about assigning groups and roles to LDAP-authenticated users so they have permissions within TeamCity?


Thanks,
-Ryan

0

Ryan,

> What I still don't understand is how I can grant roles and groups to the LDAP-authenticated users.
Before users have logged in in TeamCity (i.e. a TeamCity account is created), they can't have any permissions assigned. Also you cannot create TeamCity accounts for LDAP manually, users are created upon login.
So the steps are:
- as a system admin create proper TeamCity usergroups (or reuse the existing ones) on http://<server>/admin/userMain.html?tab=groups
- ask users to login to TeamCity with LDAP credentials
- assign users to your groups on http://<server>/admin/userMain.html?tab=userList

Do you have admin permissions in new auth schema?
If not, please see http://confluence.jetbrains.net/display/TCD5/How+To...#HowTo...-RetrieveAdministratorPassword

---
Maxim

0

Thanks for the quick response again.  I'm sorry if I didn't clearly communicate my questions.

I do have the System Administration role in TeamCity.  I also understand how to create users and groups in TeamCity, and how to assign TeamCity users to groups and roles.

What I don't know is how to create users in TeamCity that are Active Directory or LDAP users (as opposed to TeamCity users).  You said before that TeamCity-authenticated users can't share anything with LDAP-authenticated users.  

Is it enough to create a TeamCity user named "MyDomain\Robert.Smith"?  Is creating a user named "MyDomain\Robert.Smith" in TeamCity a TeamCity-authenticated user or an LDAP-authenticated user?  How does TeamCity know the difference?

I'm new to TeamCity administration, so I apologize if these are dumb questions.


Thanks,
-Ryan

0

OK. I just tried to understand what's the actual problem :)

> What I don't know is how to create users in TeamCity that are Active Directory or LDAP users (as opposed to TeamCity users).
You can't. For some authorization schemes (e.g. LDAP) manual creation of TeamCity users is disabled. Users should login to TeamCity themselves and only then the account is created.

> You said before that TeamCity-authenticated users can't share anything with LDAP-authenticated users
Let's be a little more accurate on terms. For both schemes there are TeamCity users. But for default scheme the credentials are managed within TeamCity, for LDAP not - TeamCity always asks LDAP server when authenticate.
These two sets of users can't intersect (at least in current version).

> Is it enough to create a TeamCity user named "MyDomain\Robert.Smith"?
When you first login to TeamCity in new auth schema, the account is created. The username can include the domain, it may not. That depends on your ldap-config. But this will be another TeamCity user no matter what username is.

> Is creating a user named "MyDomain\Robert.Smith" in TeamCity a TeamCity-authenticated user or an LDAP-authenticated user?
This will be a TeamCity user for a new auth schema (LDAP). For it there is a corresponding LDAP entry (which you sync to).

> How does TeamCity know the difference?
Currently only one auth scheme can be active at a time, so previously created users can't be mixed with the new ones.

> I'm new to TeamCity administration, so I apologize if these are dumb questions.
That's ok, I'll try to do my best.

0

Thank you!.  I understood that explanation, and I now see why the wording of my question was confusing/misleading.  :)

I think I may understand another issue I had now too.  I believe my ldap-config file is configured to drop the "MyDomain\" portion of the login, but I already have TeamCity-authenticated users with the same name (ex: LDAP "MyDomain\Robert.Smith" becomes "Robert.Smith", but a TeamCity-auth user named "Robert.Smith" already exists).  Would this prevent the new LDAP-auth account from being created?

When I switched to LDAP-auth and logged in, I didn't have any roles assigned to me.  Would renaming my TeamCity-authenticated user account to something else, like "R.Smith", prior to changing to LDAP-auth correct the problem, or do I need to follow your link for resetting an admin password?

Once I switch the authentication to LDAP-auth, and the users log into TeamCity using their LDAP-authenticated user names, I can simply assign them to the groups I've already created, correct?

Last question (hopefully):  Are the contents of my config files, which I pasted into my first post, correct for what I want to do?


Thanks again,
-Ryan

0

Hi Ryan,

> Would this prevent the new LDAP-auth account from being created?
No, the existing users are in another schema.

> When I switched to LDAP-auth and logged in, I didn't have any roles assigned to me.
Yes, when you change the schema, users loose their permissions, because these are _another_ TeamCity users.
One schema is independent from another, so there is no point in renaming users in default schema.
If you're not a sys admin in LDAP schema, please use resetting password link.

> Once I switch the authentication to LDAP-auth, and the users log into TeamCity using their LDAP-authenticated user names, I can simply assign them to the groups I've already created, correct?
Well, it's up to you to define with what usernames to login to TeamCity in a new auth schema, but I don't think it is reasonable to change LDAP username.
Yes, you can add them to groups.

> Last question (hopefully):  Are the contents of my config files, which I pasted into my first post, correct for what I want to do?
I think the following properties are used incorrectly:
teamcity.users.login.filter
teamcity.auth.formatDN (in fact, depends on LDAP server, but commonly it should transform to full DN)
Please see ldap-config.properties file


---
Maxim

0

Please sign in to leave a comment.