5

I'm configuring LDAP authentication in TeamCity 7.1.2 in a Windows domain (Active Directory).

Basically it works (I can log in with my domain user!), but every user in the whole company can log in.
--> Now I'm trying to restrict access to the developers only.

I found this example in the TeamCity docs:

# filtering only users with specified name and belonging to LDAP group "Group1" with DN "CN=Group1,CN=Users,DC=example,DC=com"
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=example,DC=com))

So I just need to replace CN=Group1,CN=Users,DC=example,DC=com with the the LDAP group where my user is.
But querying LDAP is completely new to me, so I'm not able to figure out the right syntax.

My user is here:

Active Directory screenshot

So it's:

CompanyName.de/CompanyName/IT/Entwickler/

"CompanyName", "IT" and "Entwickler" are organizational units.
I understand that the syntax would be:

OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de

When I put that into TeamCity's config file, I can't log in and TeamCity writes this to its log files:

Search in LDAP: base='DC=CompanyName,DC=de', filter='(&(sAMAccountName=MyUser)(memberOf=OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de))', scope=2, attributes=[sAMAccountName, distinguishedName] resulted in error

and:

Login for user "MyUser" failed: javax.security.auth.login.LoginException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=CompanyName,DC=de'

What am I doing wrong?

NOTE:
It might be possible that my query is correct, and this is an issue in TeamCity.
(the version that I'm using does have some issues concerning LDAP, but they get other error messages than I do)
Maybe I will post this on TeamCity's issue tracker, but before I wanted to make sure that the error doesn't occur because I've got the LDAP query wrong, hence the question here.

Christian Specht
  • 35,843
  • 15
  • 128
  • 182

1 Answers1

4

memberOf is looking for a group, not an OU. You should create a group to restrict access, add the appropiate users to the group, and specify the group's distinguished name in the filter. You should note that the simple 'memberOf={DN}' filter does not take into account nested group membership.

Edit: If you really want to restrict it to users in the OU, then you need to change the base DN of the search to the OU, and take out the memberOf parameter to the search.

Sean Hall
  • 7,629
  • 2
  • 29
  • 44
  • Could you give me an example how the query would look like if I " change the base DN of the search to the OU, and take out the memberOf parameter to the search"? As I said, I'm an LDAP noob. Thank you! – Christian Specht Nov 29 '12 at 20:28
  • 1
    @ChristianSpecht An LDAP query has three basic components: the base of the search, the search filter, and the scope. In your error, I see "Search in LDAP: base='DC=CompanyName,DC=de'". I don't know where this is coming from, can you set the base on another line, maybe teamcity.users.login.base? – Sean Hall Nov 29 '12 at 20:42
  • I **did** set the base in the config file, but neither `CN=Users,DC=CompanyName,DC=de` nor `CN=Users,DC=CompanyName,DC=de` worked. So I tried your second solution (set the base DN to the OU) and that did work! – Christian Specht Nov 30 '12 at 11:29
  • @Alfred: it's `teamcity.users.base=OU=IT,OU=CompanyName,DC=CompanyName,DC=de`. *Now if a moderator would convert your answer to a comment...* – Christian Specht Dec 19 '13 at 13:07