Can't get LDAP to work
I have created an ldap-config.properties file as follows:
java.naming.provider.url=ldaps://ldap.jumpcloud.com:636/O=<SECRET>,DC=jumpcloud,DC=com
java.naming.security.principal=bind_dn
java.naming.security.credentials=<SECRET>
teamcity.users.base=CN=users
teamcity.users.login.filter=(&(objectClass=person)(memberOf=cn=Teamcity,ou=Users,o=<SECRET>,dc=jumpcloud,dc=com))
teamcity.users.username=uid
teamcity.users.login.filter=(&(objectClass=person)(memberOf=cn=Teamcity,ou=Users,o=<SECRET>,dc=jumpcloud,dc=com))
teamcity.options.users.synchronize=true
teamcity.options.groups.synchronize=false
teamcity.options.createUsers=true
teamcity.options.deleteUsers=true
teamcity.options.syncTimeout=3600000
teamcity.groups.property.member=member
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
I when I switched the auth mechanism to LDAP and tried to log in with my LDAP user account, I got the following error:
[2018-05-18 19:37:22,651] INFO - jetbrains.buildServer.LDAP -
Starting synchronization session
[2018-05-18 19:37:22,651] INFO - jetbrains.buildServer.LDAP -
Fetching remote users and groups
[2018-05-18 19:37:23,125] WARN - jetbrains.buildServer.LDAP -
Error while retrieving LDAP users, skipping users
synchronization: LDAP search operation returned an error
while retrieving users. While initializing LDAP connection.
LDAP server says: Invalid DN syntax.
Original error: org.springframework.ldap.InvalidNameException:
[LDAP: error code 34 - invalid DN]; nested exception is
javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
[2018-05-18 19:37:23,125] INFO - jetbrains.buildServer.LDAP - Skipping
groups synchronization as 'teamcity.options.groups.synchronize'
property is not set to 'true'
[2018-05-18 19:37:23,125] INFO - jetbrains.buildServer.LDAP - Last
synchronization statistics: user sync enabled=false, created users=0,
updated users=0, deleted users=0, remote users=0, matched users=0, group
sync enabled=false, created groups=0, updated groups=0, deleted groups=0,
remote groups=0, matched groups=0, duration=474ms, errors=1, errors:
[Error while retrieving LDAP users, skipping users synchronization:
LDAP search operation returned an error while retrieving users. While
initializing LDAP connection. LDAP server says: Invalid DN syntax.
Original error: org.springframework.ldap.InvalidNameException: [LDAP:
error code 34 - invalid DN]; nested exception is
javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]]
I don't even see where a DN is specified in the config above. How do I resolve this error? Does anyone have a non-AD LDAP configuration that is working? I was able to do an ldapsearch successfully with this configuration:
ldapsearch -H ldaps://ldap.jumpcloud.com:636 \
-b u=Users,o=<SECRET>,dc=jumpcloud,dc=com \
-D uid=bind_dn,ou=Users,o=<SECRET>,dc=jumpcloud,dc=com \
-w <SECRET> \
(&(objectClass=person)(memberOf=cn=Teamcity,ou=Users,o=<SECRET>,dc=jumpcloud,dc=com))
This returns a list of members of the Teamcity group exactly as expected
Please sign in to leave a comment.
Hi Alex,
The ldap.properties file is a Java properties file, which means that some special characters need to be escaped: (https://docs.oracle.com/javase/1.5.0/docs/api/java/util/Properties.html#load(java.io.InputStream)
Please consider escaping special characters such as &, and also, I guess it was a copy paste error here but double check that you have duplicated the "teamcity.users.login.filter" key.
I was able to get everything working by putting the URI through a URL encoder:
In [12]: urllib.parse.quote('O=<SECRET>,DC=jumpcloud,DC=com')
Out[12]: 'O%3D%3CSECRET%3E%2CDC%3Djumpcloud%2CDC%3Dcom'
Appending the string output above to the URI in java.naming.provider.url resolved the problem.
I would like to point out that there is no documentation of this requirement in the following documents:
* https://confluence.jetbrains.com/display/TCD10/Typical+LDAP+Configurations
* https://confluence.jetbrains.com/display/TCD10/LDAP+Integration#LDAPIntegration-ldap-config.propertiesConfiguration
And in fact all the URIs given as examples are not encoded.