LDAP authentication and multiple domains

We moved our server from a windows box to a linux box, and we found that the NTDomain authentication would no longer work for people who weren't in the default domain.

So I started configuring LDAP.    However, I've run into some issues, it seems like all the items to help with user ids are setup as if only one domain exists.

The teamcity.users.login.capture=DOMAIN_A\\\\(.*)

I can't get this to use multiple domains, if i do (DOMAIN_A|DOMAIN_B)\\\\(.*) then the username is passed in as DOMAIN_A\userid, which means all the users we have linked & their roles won't work anymore.  I'm not sure how this thing is doing regex to know that DOMAIN_A\\\\(.*) goes to just the user id, and the other patterns do not.


I tried to use the teamcity.users.acceptedLogin property instead of the capture as in the web docs, but it didn't do anything, still saw users login as DOMAIN\userid


Is there any way we can get the NTDomainAuthentication working under linux like it did in windows?  I know in windows we had that ntlm.compatibilityMode=true setting that worked great for us.  People could login with the default domain, or put in the domain\userid.  nice and flexible.  I'd really like to get back to that.

I did notice for ldap that if you use the teamcity.auth.formatDN setting, you dont' have to enter the domain, but you screw over other domains as team city isn't smart enough to realize that DOMAIN_A\userid shouldn't be translated to DOMAIN_A\DOMAIN_A\userid.  If it did, this would solve most of my problems.  As 95% of my users are on DOMAIN_A.

I've attached a sample of what i have going now.

Thanks!
-Scott MacDonald



Attachment(s):
ldap-config.properties.zip
6 comments
Comment actions Permalink

Have you tried to work without ntlm.compatibilityMode ? If set to true then native authentication using native code will be used and obviously it will not work under Linux. If set to false, then TeamCity will use jcifs (http://jcifs.samba.org/) which should work under Linux too. jCifs has some configuration settings that might help in your situation, see http://jcifs.samba.org/src/docs/api/overview-summary.html#scp
Any jcifs related property specified in ntlm-config.properties file will be passed to jCIFS library.

0
Comment actions Permalink

That is how we are currently setup on our server everyone is using, which led to this problem.  Under linux with ntcompatibilty off, the default domain works, but no other does.

0
Comment actions Permalink

I've looked through the JCIFS stuff but nothing is popping out as what i can use to make sure the userid gets processed correctly.  Currently with the NTDomain, the user can type in their username and the default domain figures it out.  But if i type in DOMAIN_A\userid, it doesn't know what i'm talking about with the ntcompatibility turned off.

If you have any pointers, let me know.

0
Comment actions Permalink

Have you tried to specify fqdn of the domain server host? I.e. if domain server DNS name is some.host.com, have you tried to login using: some.host.com\username ?

0
Comment actions Permalink

That worked!  Its a little irritating, but it worked.  Let me see if the guys in the 2nd domain work too.


0
Comment actions Permalink

I can guess that jCIFS tries to locate windows domain servers using DNS lookups. You can add domain names to /etc/hosts on the TeamCity server to be able to use short names.

0

Please sign in to leave a comment.