new LDAP options

I just read the documentation for the new LDAP integration and I'm quite sure, that we might be able to abandon our custom LDAP-Plugin (see http://www.jetbrains.net/tracker/oldIssue/TW-2407)

Some questions are still open:
1) As we use Lotus Notes (which accepts a hell of a lot names for authentication) we were never able to write a good

which could prevent doubled user-accounts.

Do I understand it correctly, that

teamcity.users.attribute.username

will trigger to use the given LDAP-attribute as the unique username, thus preventing double-accounts ?

2) The option
teamcity.users.property.plugin:vcs:<VCS type>:anyVcsRoot
is not usable for us, as VCS names are not stored in our directory.
Without this option, it doesn't make sense to synchronize groups and to hope for notifications for new users.
We had to tell new employees to fill in their VCS-username again to receive notifications for changes.

Our current plugin uses a (99% correct) heuristic to determine the VCS-Username such as:
- take the last name of the user
- replace all umlauts

So only some special employess named 'schulz' or 'meier' (very common names in germany) still need to fill in their correct vcs-name, which is acceptable.

As this seems to be the only place where we would need a custom logic, it would be nice, if that logic could be provided by a custom-plugin.
Maybe there is alreay a listener, which informs about all new created users ?
On the other hand a listener which is called after an LDAP synchronization for each user was done would be nice.

Our current plugin then would shrink to a 10-liner which tries to fill VCS usernames.

4 comments
Comment actions Permalink

Stefan,

> Do I understand it correctly, that

> teamcity.users.attribute.username

> will trigger to use the given LDAP-attribute as the unique username, thus preventing double-accounts ?

This option allows to bind a TeamCity user with LDAP user, so we can update the user data if it is already set in LDAP. So users still can login with different usernames (if loginFilter allows), but in case if the username matches the username from LDAP, some additional data can be set automatically (and updated later with respect to LDAP data changes).
Unfortunately, at this moment the only way to restrict the allowed username is via "teamcity.auth.loginFilter" property.

> As this seems to be the only place where we would need a custom logic, it would be nice, if that logic could be provided by a custom-plugin.
> Maybe there is alreay a listener, which informs about all new created users ?

There is a

UserModelListener
class (please see the documentation for more details) that may help you. Just one caveat: after the user is created its VCS properties are set with default values. So if you need to set a VCS name, you're better listen for
userAccountChanged
rather than
userAccountCreated
event.

Please, feel free to ask more questions if something isn't clear.
0
Comment actions Permalink

So then I just wish for a property, that I can map from different authorization names to a unique user-id.

Otherwise we had to stay with our own LDAP-LoginModule, which can handle this situation.

Don't know how much more Lotus Notes Users are out there, who would need such a feature .

0
Comment actions Permalink

Please submit a feature request, we'll try to fix it in next versions.

0
Comment actions Permalink

Stefan,

Thank you for the request (http://jetbrains.net/tracker/oldIssue/TW-7833), the new options have been added in TeamCity 4.5. Now you can configure a way to find the user in LDAP by the entered login and to fetch the username. Please let us know if this is not sufficient in your case.

0

Please sign in to leave a comment.