LDAP Troubleshooting
General advice: if you experience problems with LDAP configuration, turn on the debug logging (see Reporting Issues).
On this page:
- Cannot authenticate using LDAP
- Users in LDAP are stored in different branches, so the teamcity.auth.formatDN property can't be applied. How can the users login with their usernames?
Cannot authenticate using LDAP
Check the teamcity-ldap.log
file. For each unsuccessful login attempt there should be a reason specified. Most commonly these are:
The login filter doesn't match the entered login ("User-entered login does not match teamcity.auth.loginFilter=..., aborting")
The LDAP server rejected login with the "Invalid credentials" message ("Failed to login user '...' due to authentication error. Cause: Invalid credentials ([LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@])")
The first reason means that the login can't be used for signing in because it doesn't match a certain filter. For example, by default you can't login with DOMAIN\username
- the filter forbids /
, \
and @
symbols. See the teamcity.auth.loginFilter
property.
The second error can be caused by various things, for example:
You are trying to login with your username, but LDAP server accepts only full DNs.
If all users are stored in one LDAP branch, use theteamcity.auth.formatDN
property. Otherwise, see the section below.Check your DN and the actual principal from the logs, probably there is a typo or an unescaped sequence. Try to log in with this principal using another LDAP tool.
Try changing the security level (
java.naming.security.authentication
): it can be "simple", "strong" or "none".
Users in LDAP are stored in different branches, so the teamcity.auth.formatDN property can't be applied. How can the users login with their usernames?
This feature is available from version 5.0. You should specify how you want to find the user (teamcity.users.login.filter
), for example, by the username or email. On each login TeamCity finds the user in LDAP before logging in, fetches the user DN and then performs the bind. Thus, you must also define the credentials for TeamCity to perform search operations (java.naming.security.principal
and java.naming.security.credentials
).