LDAP login failures / admin account

I'm trying to setup team city to authenticate against LDAP following http://www.jetbrains.net/confluence/display/TCD/Authentication+Settings. I have installed teamcity 2.0, started and stopped it to create the .buildsettings directory, and then edited the main-config.xml as described and created my ldap-config.properties. My ldap-config.properties looks like:

com.sun.jndi.ldap.connect.pool=true
java.naming.provider.url=ldap://toyent01:389/
java.naming.security.principal=CN=kisdro,O=admin
java.naming.security.credentials=*******
java.naming.security.authentication=simple

I've cranked up the logging, and I see this in the logs:

DEBUG - ide.impl.auth.ServerLoginModel - Login failed, error: javax.security.auth.login.FailedLoginException: Please use DOMAIN\sAMAccountName login format

This doesn't make sense to me as I'm using straight LDAP login. Could someone please give me some guideance here?

cheers,
dim

ps - aside from these teething problems it looks like a great product and I'm looking forward to getting it all up and running.

8 comments

I'm trying to setup team city to authenticate against
LDAP following
http://www.jetbrains.net/confluence/display/TCD/Authen
tication+Settings. I have installed teamcity 2.0,
started and stopped it to create the .buildsettings
directory, and then edited the main-config.xml as
described and created my ldap-config.properties. My
ldap-config.properties looks like:

com.sun.jndi.ldap.connect.pool=true
java.naming.provider.url=ldap://toyent01:389/
java.naming.security.principal=CN=kisdro,O=admin
java.naming.security.principal=*******
java.naming.security.authentication=simple


You may want to enter the fully qualified name of your ldap server as
the value for java.naming.provider.url and remove the java.naming.security.principal
and java.naming.security.principal at least to start.

This is what worked for me:
Here is my "ldap-config.properties":
java.naming.referral=follow
java.naming.provider.url=ldap://..com:389 java.naming.security.authentication=simple Then, logging in was a matter of entering: username: \ password: ]]>

Hope that helps.

-Dave

0

Thanks Dave, unfortunately that didn't fix my problem.

I've changed my config to:

java.naming.provider.url=ldap://toyent01.:389/ java.naming.security.principal=CN=kisdro,O=admin java.naming.security.credentials= java.naming.security.authentication=simple java.naming.referral=follow and then tried to log in with \]]> but in the log files I get this error:

DEBUG - ide.impl.auth.ServerLoginModel - Login failed, error: javax.security.auth.login.LoginException: javax.naming.InvalidNameException:

Our LDAP server is Novell eDirectory. We have all our other servers configured to authenticate against it, so I'm not new to configuring this stuff although I do have some unanswered questions in my head - eg what's the filter for a user, how do I restrict to users in certain groups, etc etc.

Are there any more docs on the details of this?

cheers,
dim

0

Dmitri Colebatch wrote:

Thanks Dave, unfortunately that didn't fix my problem.

I've changed my config to:

java.naming.provider.url=ldap://toyent01.<domain>:389/
java.naming.security.principal=CN=kisdro,O=admin
java.naming.security.credentials=<password>
java.naming.security.authentication=simple
java.naming.referral=follow

and then tried to log in with <username>\<domain> but in the log files I get this error:

DEBUG - ide.impl.auth.ServerLoginModel - Login failed, error: javax.security.auth.login.LoginException: javax.naming.InvalidNameException:

Our LDAP server is Novell eDirectory. We have all our other servers configured to authenticate against it, so I'm not new to configuring this stuff although I do have some unanswered questions in my head - eg what's the filter for a user, how do I restrict to users in certain groups, etc etc.

Are there any more docs on the details of this?

cheers,
dim


On error codes
http://java.sun.com/products/jndi/tutorial/ldap/models/exceptions.html

--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0

Dmitri Colebatch wrote:

Thanks Dave, unfortunately that didn't fix my problem.

I've changed my config to:

java.naming.provider.url=ldap://toyent01.<domain>:389/
java.naming.security.principal=CN=kisdro,O=admin
java.naming.security.credentials=<password>
java.naming.security.authentication=simple
java.naming.referral=follow

and then tried to log in with <username>\<domain> but in the log files I get this error:

DEBUG - ide.impl.auth.ServerLoginModel - Login failed, error: javax.security.auth.login.LoginException: javax.naming.InvalidNameException:

Our LDAP server is Novell eDirectory. We have all our other servers configured to authenticate against it, so I'm not new to configuring this stuff although I do have some unanswered questions in my head - eg what's the filter for a user, how do I restrict to users in certain groups, etc etc.

Are there any more docs on the details of this?

cheers,
dim


TeamCity LDAP login provider authenticates users by direct login with
credentials from login page, thus you need to REMOVE .principal and
.credentials as Dave already pointed you.

--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0

TeamCity LDAP login provider authenticates users by
direct login with
credentials from login page, thus you need to REMOVE
.principal and
.credentials as Dave already pointed you.


Thanks Alexey, unfortunately the problem I'm facing is the domain\username syntax. This is not what my LDAP server is expecting. I have got around this by using my own login module, and it is all working nicely. I will try to package that it up and post it here for anyone who's interested.

If you have a look at the complexity of the weblogic LDAP authenticator I think you'll see how much more configuration is required to make LDAP authentication work in all scenarios.

As an aside, I would love to be able to pull email address, full name, etc etc, out of LDAP, but I assume this isn't possible. Is it worth me raising an enhancement request?

cheers,
dim

0

Dmitri Colebatch wrote:

Thanks Alexey, unfortunately the problem I'm facing is the domain\username syntax. This is not what my LDAP server is expecting. I have got around this by using my own login module, and it is all working nicely. I will try to package that it up and post it here for anyone who's interested.

I think we should made this syntax optional, see
http://www.jetbrains.net/jira/browse/TW-2406

If you have a look at the complexity of the weblogic LDAP authenticator I think you'll see how much more configuration is required to make LDAP authentication work in all scenarios.

There's also wonderful LDAP login module in JDK 1.6, with full sources.
Do you think it covers all the cases you mentioned?

As an aside, I would love to be able to pull email address, full name, etc etc, out of LDAP, but I assume this isn't possible. Is it worth me raising an enhancement request?

I filed separate issue for full name because this feature do not
requires architectural changes. See TW-2407, TW-2408.


--
Alexey Gopachenko
JetBrains Inc.
http://www.intellij.com
"Develop with pleasure!"

0

I am having this same problem, can you give me your module or document how to set this up?

0

Please sign in to leave a comment.