Switching from "Windows Domain" authentication to "LDAP"

Answered

My end goal is to get some of my Active Directory Groups available in TeamCity.

So I looked at the docs for that, and it includes changes to `ldap-config.properties`.  I currently do not have such a file.  I only have a `ldap-config.properties.dist` file (ie the example file).  Looking at my Administration->Authentication  settings, I do not have an `LDAP` configuration setup. 

Looking at the docs, it looks as if I will need to add in LDAP Authentication to get access to my Active Directory Groups.  Here are my questions with that:

  • Am I going to loose my current user permissions and setup if I add in LDAP?  (We have been using TeamCity for many years, and I do not want to have to try to re-assign all the users their various permissions.
  • Will the users merge?  (Meaning will TeamCity see user John Doe from Microsoft Windows Domain Authentication and John.Doe@mydomain.net from LDAP and realize that they are the same user.)
  • Related to the above, will group membership for LDAP groups be connected to the users that already exist?

Basically, it looks as if there will be two different ways that users can be authenticated.  I am worried that they will be seen as two different users.  And then the group role permissions will not work (because the users are split).

How will adding/switching to LDAP work for my existing users?

5 comments
Comment actions Permalink

You are correct that you would need to create the ldap-config.properties file. This configuration file is only necessary when using LDAP authorization and the ldap-config.properties.dist file is included as an example file (see ldap-config.properties Configuration). You can make a copy of this example file and rename it 'ldap-config.properties', if you'd like.

If you're currently using Active Directory for authentication, how have you configured this? Typically this is configured in the ldap-config.properties file, but you've mentioned this doesn't exist on your installation. Would you mind sharing a screenshot of the Administration | Authentication page from your TeamCity server? This would help me to better understand your current setup.

When you add the LDAP authentication module on a TeamCity server that already has users, the users can still log in using the previous authentication modules credentials (unless you remove the modules). On a successful LDAP login, LDAP retrieves a username as configured by the 'teamcity.users.username' property and if there is already a user with such TeamCity username, the user logs in as the matching user. If there is no existing user, a new one is created with the username retrieved from LDAP.

0
Comment actions Permalink

Eric Borchardt,

Thank you for the response.  

>> If you're currently using Active Directory for authentication, how have you configured this?

I think we are using a mode called "Microsoft Windows Domain".  When we log in we select that option instead of entering a Username Or Password:

>> Would you mind sharing a screenshot of the Administration | Authentication page from your TeamCity server?

If you have any advice on how best to proceed so that I can get access to AD Groups in TeamCity, I would love to hear it.

0
Comment actions Permalink

Perfect, thanks for sharing the screenshot! You can leave that authentication module enabled while you're setting up the LDAP properties. I'm assuming your sticking with Active Directory, just switching to LDAP authorization in TeamCity. When you set up your LDAP settings, please take a look at the example we have for Active Directory with User Details Synchronization. This will not change any group memberships in TeamCity, but it will update user details such as Display Name and User Email. I believe you will also need to specify the previous 'Domain\Username' login as shown in Username Migration.

It is possible to map your AD groups to TeamCity groups, if this is something that sounds interesting to you. You would use a ldap-mapping.xml to define these relationships. Additional information and some examples are available here: https://www.jetbrains.com/help/teamcity/typical-ldap-configurations.html#Active+Directory+With+Group+Synchronization

1
Comment actions Permalink

I forgot to mention, the ldap-mapping.xml file will be in <teamcity data directory>/config. You should find an example file there called ldap-mapping.xml.dist, which can be used to help get you started on this. Additional details on setting this up are available here: https://www.jetbrains.com/help/teamcity/ldap-integration.html#User+Group+Membership.

1
Comment actions Permalink

Eric Borchardt,

Thank you for the help!  I think this is too big of a change to do directly on my server.  As much as I dislike the delay to my project for this, I am going to have to request resources to setup a test server to try this change out first, before I risk running it on my real TeamCity installation.  (It is too critical to daily operations to risk it.)

I will get that set up and then report back on any issues we end up facing with the LDAP integration with the existing user base (or open a new question if something else comes up).

Thank you again for your help.

0

Please sign in to leave a comment.