Up to Discussions in General Topics

This Question is Not Answered

1 "correct" answer available (4 pts) 1 "helpful" answer available (2 pts)
13 Replies Last post: May 23, 2013 11:34 PM by Helios Dev  
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated

Feb 15, 2013 2:38 PM

Timeout using basic LDAP login for users in a specific LDAP group

Hello,

 

we are trying to setup the basic LDAP login for users in a specific LDAP group. The AD structure looks like


 

Domain.Company.corp

-          APAC

o   City A

o  Users

o   City B

o  Users

-          EMEA

o   City C

o  Users

o   City D

o  Users

-          Americas

o   City E

o  Users

o   City F

o  Users

 

 

The teamcity.users.login.filter group contains users from the different regions. Now we tried to set the base group to the root domain in the following ways:

 

java.naming.provider.url=ldap://AD-Controller:389

teamcity.users.base=DC=Domain,DC=Company,DC=corp

 

or

 

java.naming.provider.url=ldap://AD-Controller:389/DC=Domain,DC=Company,DC=corp

teamcity.users.base=

 

However, in both cases we run into a connection timeout.

The base group contains around 15k users. The filtered users (the one that need to logon to TeamCity) are around 100.

Is there a way to increase the timeout using the above setup?

As, changes in the current AD structure are not possible, is there another way to load the users base which then gets filtered?

 

Regards,

Helios

Tags: ldap
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Mar 12, 2013 2:57 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hello,

 

let me rephrase the question: How can TC be setup to allow access only to users belonging to a specific AD group?

The timeout we are getting is when setting the whole organization unit group as OU (15k users) and then use the specific group (100 users) to be filtered. This specific group contains only developers from the different region's Users groups. The tests have been made using TC 7.1.3.

 

Thanks,

Helios

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Mar 20, 2013 4:24 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

First of all, you can control the timeout for LDAP operations since Java 6: you can define the property

com.sun.jndi.ldap.read.timeout

(as described in http://docs.oracle.com/javase/tutorial/jndi/newstuff/readtimeout.html )

and TeamCity should fetch it.

 

Next, if you'd like to filter users by group membership, there is a way to include "memberof" in a filter (LDAP server support is required):

filter=(memberof=cn=Developers,ou=Groups,ou=Work)

 

If there are no so many users matching the filter, you shouldn't run into timeout.

 

 

--

Maxim

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Apr 18, 2013 6:19 PM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

setting up the filter is working.
The problem we have is that we need to specify the base to be DC=Domain because users are defined in different OUs (APAC, EMEA, Americas).
If we set the base to e.g. OU=EMEA the EMEA users can logon successfully.
It looks like when using the base=DC=Domain the LDAP search doesn't iterate through the different OUs.

 

The error message is:
nested exception is javax.naming.NameNotFoundException
Most common reason for this error: LDAP server couldn't resolve the path specified in base DN.
Please verify the following properties:
  java.naming.provider.url
  teamcity.users.base
  teamcity.groups.base
and make sure the base DN is relative to the root DN (specified in java.naming.provider.url)

 

Thanks,

Helios

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Apr 18, 2013 8:05 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

What is your "java.naming.provider.url" and what is your "teamcity.users.base"?

 

 

 

--

Maxim

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Apr 19, 2013 11:43 AM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group

Please refer to the first post for the two ways we tried.

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Apr 19, 2013 1:07 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

So, you set:

java.naming.provider.url=ldap://AD-Controller:389/DC=Domain,DC=Company,DC=corp

teamcity.users.base=

 

and got a NameNotFoundException?

 

That seems very strange to me. I guess you wouldn't got a connection timeout error, as you wrote previously, because LDAP can't do any search by invalid path.

If that is so, please provide more details: logs with DEBUG, stacktraces (can do it in our issue tracker if you're concerned about privacy).

 

 

--

Maxim

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Apr 19, 2013 4:33 PM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group

That are the two options we tried. The timeout and current state is the one with the defined teamcity.users.base.

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Apr 19, 2013 4:56 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Sorry, I don't understand what is the actual problem now and with what settings.

Please create an issue at http://youtrack.jetbrains.com/ and attach all relevant data.

 

 

--

Maxim

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Apr 29, 2013 3:58 PM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

it looks like the users search is not recursive. Just found this thread discussing exactly the same problem.

http://devnet.jetbrains.com/message/5247399

 

This issue could be fixed when either having a way to define multiple user base DNs or without a base and the search will be recursive.

Not sure what the solution for the other thread was.

 

Thanks,

Helios

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Apr 29, 2013 5:15 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

Hi,

 

The search is always recursive. I didn't look at the thread you posted, but we have verified that and LDAP plugin is used in many big companies (where recursive search is a must).

If you turn on DEBUG logging, you should see the line like "Performing search in LDAP: ... scope=<value>...". If scope is 2, it means subtree scope.

Do you see it?

 

 

--

Maxim

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
Apr 29, 2013 5:26 PM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group

Yes, scope=2 is in the log.

Report Abuse
Maxim Podkolzine JetBrains
Maxim Podkolzine
226 posts since
Dec 17, 2008
Currently Being Moderated
Apr 29, 2013 5:28 PM in response to: Helios Dev
Re: Timeout using basic LDAP login for users in a specific LDAP group

OK. Why do you think it wasn't working?

Report Abuse
Helios Dev Newbie
Helios Dev
17 posts since
Jul 21, 2011
Currently Being Moderated
May 23, 2013 11:34 PM in response to: Maxim Podkolzine
Re: Timeout using basic LDAP login for users in a specific LDAP group
Setting teamcity.users.base= or teamcity.users.base=DC=Domain,DC=Company,DC=corp doesn't find the user. Only when adding the OU (e.g. EMEA) then it works, but obviously only for users belonging to the EMEA users group. As shown in the example in the first post the user groups are defined below the different locations. What do we need to add to the base so that all subdirectories are included in the search for a user? Is there a way to set multiple OUs to the base?
Report Abuse

More Like This

  • Retrieving data ...