LDAP Troubleshooting
General advice: if you experience problems with LDAP configuration, please turn on the debug logging (see Reporting Issues).
Cannot authenticate using LDAP
Check the teamcity-ldap.log file. For each unsuccessful login attempt there should be a reason specified. Most commonly it is:
login filter doesn't match the entered login (
"User-entered login does not match teamcity.auth.loginFilter=..., aborting")LDAP server rejected login with "Invalid credentials" message (
"Failed to login user '...' due to authentication error. Cause: Invalid credentials ([LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@])")
The first reason means that the login can't be used for signing in, because it doesn't match a certain filter. For example, by default you can't login with 'DOMAIN\username' - the filter forbids '/', '\' and '@' symbols. See teamcity.auth.loginFilter property.
The second error can be caused by various things, e.g.:
You are trying to login with your username, but LDAP server accepts only full DNs If all users are stored in one LDAP branch you should use
teamcity.auth.formatDNproperty. Otherwise see the section below.Check your DN and the actual principal from the logs, probably there is a typo or unescaped sequence. Try to login with this principal using another LDAP tool.
Try to change the security level (
java.naming.security.authentication): can be "simple", "strong" or "none".
Users in LDAP are stored in different branches, so teamcity.auth.formatDN property can't be applied. How can the users login with their usernames?
This feature is available from version 5.0. You should specify how do you want to find the user (teamcity.users.login.filter), e.g. by username or e-mail. On each login TeamCity finds the user in LDAP before logging in, fetches the user DN and then performs the bind. Thus you should also define the credentials for TeamCity to perform search operations (java.naming.security.principal and java.naming.security.credentials).