we are trying to setup the basic LDAP login for users in a specific LDAP group. The AD structure looks like
o City A
o City B
o City C
o City D
o City E
o City F
group contains users from the different regions. Now we tried to set the base group to the root domain in the following ways:
However, in both cases we run into a connection timeout.
The base group contains around 15k users. The filtered users (the one that need to logon to TeamCity) are around 100.
Is there a way to increase the timeout using the above setup?
As, changes in the current AD structure are not possible, is there another way to load the users base which then gets filtered?
let me rephrase the question: How can TC be setup to allow access only to users belonging to a specific AD group?
The timeout we are getting is when setting the whole organization unit group as OU (15k users) and then use the specific group (100 users) to be filtered. This specific group contains only developers from the different region's Users groups. The tests have been made using TC 7.1.3.
First of all, you can control the timeout for LDAP operations since Java 6: you can define the property
(as described in http://docs.oracle.com/javase/tutorial/jndi/newstuff/readtimeout.html )
and TeamCity should fetch it.
Next, if you'd like to filter users by group membership, there is a way to include "memberof" in a filter (LDAP server support is required):
If there are no so many users matching the filter, you shouldn't run into timeout.
setting up the filter is working.
The problem we have is that we need to specify the base to be DC=Domain because users are defined in different OUs (APAC, EMEA, Americas).
If we set the base to e.g. OU=EMEA the EMEA users can logon successfully.
It looks like when using the base=DC=Domain the LDAP search doesn't iterate through the different OUs.
The error message is:
nested exception is javax.naming.NameNotFoundException
Most common reason for this error: LDAP server couldn't resolve the path specified in base DN.
Please verify the following properties:
and make sure the base DN is relative to the root DN (specified in java.naming.provider.url)
What is your "java.naming.provider.url" and what is your "teamcity.users.base"?
Please refer to the first post for the two ways we tried.
So, you set:
and got a NameNotFoundException?
That seems very strange to me. I guess you wouldn't got a connection timeout error, as you wrote previously, because LDAP can't do any search by invalid path.
If that is so, please provide more details: logs with DEBUG, stacktraces (can do it in our issue tracker if you're concerned about privacy).
That are the two options we tried. The timeout and current state is the one with the defined teamcity.users.base.
Sorry, I don't understand what is the actual problem now and with what settings.
Please create an issue at http://youtrack.jetbrains.com/ and attach all relevant data.
it looks like the users search is not recursive. Just found this thread discussing exactly the same problem.
This issue could be fixed when either having a way to define multiple user base DNs or without a base and the search will be recursive.
Not sure what the solution for the other thread was.
The search is always recursive. I didn't look at the thread you posted, but we have verified that and LDAP plugin is used in many big companies (where recursive search is a must).
If you turn on DEBUG logging, you should see the line like "Performing search in LDAP: ... scope=<value>...". If scope is 2, it means subtree scope.
Do you see it?
Yes, scope=2 is in the log.
OK. Why do you think it wasn't working?