ldap synchronization

I have set the synchronization settings as :

teamcity.options.users.synchronize=true
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=true
teamcity.options.deleteUsers=false
teamcity.options.syncTimeout = 3600000
java.naming.security.principal=<bind user name>
java.naming.security.credentials=<bind password>
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
teamcity.property.distinguishedName=name
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

In server logs

[2010-07-13 12:35:23,330]   INFO -     jetbrains.buildServer.LDAP - ------ LdapManager Start ------
[2010-07-13 12:35:23,408]   INFO -     jetbrains.buildServer.LDAP - LDAP properties loaded
[2010-07-13 12:35:23,408]   INFO -     jetbrains.buildServer.LDAP - Groups synchronization is disabled
[2010-07-13 12:35:23,408]   INFO - tbrains.buildServer.ACTIVITIES - Server Started
[2010-07-13 12:35:23,408]   INFO -     jetbrains.buildServer.LDAP - ------ Sync with LDAP users started ------
[2010-07-13 12:35:26,627]   WARN -     jetbrains.buildServer.LDAP - LimitExceededException is thrown. Trying to use paging
[2010-07-13 12:36:22,751]   WARN -     jetbrains.buildServer.LDAP - Paging succeeded. Total results: 20647

After the above log line, it doesn't show up anything. There is no synch status message. Also, it doesn't synchronize any data

8 comments

Thanks Maxim,

We actually have users spread across our ldap directory structure, that is why we chose to have teamcity.users.base commented and let teamcity search for users in a bigger set represented by the ldap URL as java.naming.provider.url=ldap://im.fmrco.com:389/DC=xyz,DC=abc,DC=com.

And the ldap structure looks like:

com
     + abc
          +xyz
               +Users
                         + EQR
                                   + user 1
                                   + user 2
                                        -

                                        -
                                        -
                         + PDM
                         + TSO
                                   + user 11
                                   + user 22
                                        -

                                        -
                                        -
We want to search for the users which are in OU = TSO and OU = EQR. Is there any way, we can set teamcity.users.base to two different DN as tab separated or using some other delimiter such as:
               teamcity.users.base = OU=EQR,OU=Users       OU=TSO,OU=Users                   

Or, if there is any other way to make teamcity search for users in two different DNs under a common OU?

0

Hi,

The base property seems to be right. May be you can tune the filter to narrow the search?
I wanted to let you know that paging over a large result set was fixed finally in 5.1, and also requires that LDAP server supports it.
Do you plan to upgrade to 5.1 soon?

0

We already have 5.1 implemented. And we also get Users data successfully in ldap search results. The only problem is that it takes a long time to finish the synchronization process. And we have given a broader filter to let teamcity search the ldap for users in different DN's All I wanted to ask is that can I use two filters at the same time in order to let teamcity search from two different OU's having a common ancestor.for e.g.

teamcity.users.base = OU=EQR,OU=Users       OU=TSO,OU=Users

instead of

teamcity.users.base = OU=Users

(Note: refer my previous post for the ldap directory structure.)

0

Unfortunately the only way (currently) is to use a common node as base.
What I meant was you can specify a more specific teamcity.users.filter. Are there really 20000 users in TeamCity?

0

Actually not. The teamcity group with which we want to synchronize (for auto create users in teamcity) has lesser no. of users say only 200.

These 200 user accounts are already created in LDAP directory and they are scattered through out the directory. We do have an LDAP group for these 200 users as TEAMCITY_USER_GROUP. And these 200 users are member of this ldap group.

Just because they are scattered at various nodes through out the LDAP directory, we have to specify a broader node as base filter, which makes the sync process slow.

0

OK. If there is LDAP attribute that distinguishes TeamCity users from others (e.g. they are members of a certain group) you can use it to fetch only them.
LDAP filter supports boolean expressions, you can find the examples at http://technet.microsoft.com/en-us/library/aa996205(EXCHG.65).aspx

0

Thanks Maxim. This solves my problem. The sync time got reduced to some extent.

0

Please sign in to leave a comment.