Question
I'm configuring LDAP authentication in TeamCity 7.1.2 in a Windows domain (Active Directory).
Basically it works (I can log in with my domain user!), but every user in the whole company can log in.
--> Now I'm trying to restrict access to the developers only.
I found this example in the TeamCity docs:
https://stackoverflow.com/questions/13629985
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian# filtering only users with specified name and belonging to LDAP group "Group1" with DN "CN=Group1,CN=Users,DC=example,DC=com"
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=example,DC=com))
So I just need to replace CN=Group1,CN=Users,DC=example,DC=com with the the LDAP group where my user is.
But querying LDAP is completely new to me, so I'm not able to figure out the right syntax.
My user is here:
So it's:
CompanyName.de/CompanyName/IT/Entwickler/
"CompanyName", "IT" and "Entwickler" are organizational units.
I understand that the syntax would be:
OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de
When I put that into TeamCity's config file, I can't log in and TeamCity writes this to its log files:
Search in LDAP: base='DC=CompanyName,DC=de', filter='(&(sAMAccountName=MyUser)(memberOf=OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de))', scope=2, attributes=[sAMAccountName, distinguishedName] resulted in error
and:
Login for user "MyUser" failed: javax.security.auth.login.LoginException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=CompanyName,DC=de'
What am I doing wrong?
NOTE:
It might be possible that my query is correct, and this is an issue in TeamCity.
(the version that I'm using does have some issues concerning LDAP, but they get other error messages than I do)
Maybe I will post this on TeamCity's issue tracker, but before I wanted to make sure that the error doesn't occur because I've got the LDAP query wrong, hence the question here.
Solution
memberOf is looking for a group, not an OU. You should create a group to restrict access, add the appropiate users to the group, and specify the group's distinguished name in the filter. You should note that the simple 'memberOf={DN}' filter does not take into account nested group membership.
Edit: If you really want to restrict it to users in the OU, then you need to change the base DN of the search to the OU, and take out the memberOf parameter to the search.
