How to setup TeamCity with LDAP group membership synchronization

2
votes

This is a short howto to get you going with your LDAP setup for TeamCity. I personally struggled for quite a bit, before I managed to get the synchronisation to run. The default config files has a lot of settings and text, which may be more confusing than helpful. A lot of posts about issues setting up group sync can be seen at both JetBrains and StackOverflow.

This setup assumes you don't have a nested group for importing members, but single groups. If you want to use a nested group for TeamCity, then look at the "Limiting the number of groups to by synchronized" section at https://www.jetbrains.com/help/teamcity/typical-ldap-configurations.html?_ga=2.213872598.374019039.1565610915-964155662.1565610915

Change the teamcity.users.filter accordingly.

teamcity.users.filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=TeamCity Users,OU=Accounts,DC=domain,DC=com))

JetBrains prefers that you have a nested group where the top node is your TeamCity group. However that's not how I wanted to setup the sync at the moment.

Assumptions

1
ldapsynchronizationteamcitygroup-membershipnested-groups
It would be nice to separate the question from the answer though, so that you can accept it, posts marked as answered are more easily retrievable from google.EricLavault
I'll do that asap :)Harald S. Hanssen

1 Answers

0
votes

Here's how I setup TeamCity LDAP config files to synchronize AD Groups:

ldap-config.properties file

java.naming.provider.url=ldap://<your server or domain>:3268/DC=YOUR,DC=Domain,DC=Here
java.naming.security.principal=<username>
java.naming.security.credentials=<password>
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName

### USERS SETTINGS ###
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail

# Automatic user creation and deletion during users synchronization
teamcity.options.createUsers=true
teamcity.options.deleteUsers=true

### GROUPS SETTINGS ###
# These settings are mandatory if groups synchronization is turned on (ldap-mapping.xml exists)
# Set to "true" to enable the synchronization for groups listed in ldap-mapping.xml file.
# IMPORTANT NOTE: TeamCity groups should be already created manually and listed in ldap-mapping.xml file.
teamcity.options.groups.synchronize=true

# The group search LDAP filter used to retrieve groups to synchronize.
# The search is performed inside the LDAP entry denoted by "teamcity.groups.base". The result should include all the groups configured in the ldap-mapping.xml file.
teamcity.groups.filter=(objectClass=group)

### OPTIONAL SETTINGS ###

# The time interval between synchronizations (in milliseconds). By default, it is one hour.
teamcity.options.syncTimeout=3600000

# The LDAP attribute of a group storing it's members.
# Note: LDAP attribute should contain the full DN of the member, one attribute per member. See also "teamcity.users.property.memberId".
teamcity.groups.property.member=member

Note: I use port 3268 not 389, that's because the default port made TeamCity incredibly slow at login. It took in most cases 5 minutes to login with 389 compared to 3268 which made it instantly.

ldap-mapping.xml file

<!DOCTYPE mapping SYSTEM "ldap-mapping.dtd">
<mapping>
  <!-- Example mapping entry:
  <group-mapping teamcityGroupKey="GROUP" ldapGroupDn="CN=Group,DC=Example,DC=Com"/>
  -->
   <group-mapping teamcityGroupKey="YourGroupKey" ldapGroupDn="CN=<DNName>" />
</mapping>

Powershell and RSAT

To get the Distinguished name for each group I've added, I've used a computer installed with RSAT (Remote Server Administration Tools) https://www.microsoft.com/en-us/download/details.aspx?id=45520. The RSAT adds some Active Directory functions to powershell which makes it easier to get the LDAP settings you need.

The powershell command:

get-adgroup <Group name> -properties *

Add the DistinguishedName to the ldapGroupDn field in the ldap-mapping.xml file along with the teamcityGroupKey and you should be ready to go.