How do I restrict teamcity.users to members of an Active Directory (LDAP) group?

8
votes

I'm trying to restrict TeamCity users to members of a specific AD group (FNC_TEAMCITY_USERS). LDAP user synchronisation was already working. In my ldap-config.properties I changed this:

teamcity.users.filter=(objectClass=user)

to this:

teamcity.users.filter=(&(objectClass=user)(memberOf=CN=FNC_TEAMCITY_USERS,OU=Groups,DC=group,DC=ourdomain,DC=com))

I restarted the TeamCity service and this change had no effect. All AD users can still log in to TeamCity. I tried this on both our 6.5 instance and our 7.0 (EAP) instance.

Is there something I've missed or is this a bug?

1
active-directorycontinuous-integrationteamcity
Just curious, what is your actual need? If your need is to restrict access to projects, make sure that the existing roles that are assigned to auto-created users have no access to non-public projects.8DH

1 Answers

4
votes

The property limiting users who can login into TeamCity is "teamcity.users.login.filter". Try setting it instead of "teamcity.users.filter".

"teamcity.users.filter" is the one affecting users synchronization (particularly creating users in TeamCity for users in LDAP).

Be sure to have "java.naming.security.principal" and "java.naming.security.credentials" correctly specified as they are required for "teamcity.users.login.filter" use.