Typical LDAP Configurations
This page contains samples of ldap-config.properties file for different configuration cases.
Basic LDAP Login
Backup LDAP server is specified. Provided users can log in into LDAP with "EXAMPLE\Username", they log in into TeamCity also as "EXAMPLE\Username", username stored in TeamCity is "Username".
# The second URL is used when the first server is down.
java.naming.provider.url=ldap://example.com:389/DC=example,DC=com ldap://failover.example.com:389/DC=example,DC=com
# Allow to login with 'EXAMPLE\username', but cut off 'EXAMPLE' in TeamCity username.
teamcity.auth.loginFilter=EXAMPLE\\\\\\S+
teamcity.users.login.capture=EXAMPLE\\\\(.*)
# No synchronization, just login.
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
Basic LDAP Login for Users in a Specific LDAP Group Only
Only users from specific users group allowed to login. Users need to enter only username without domain part to login.
java.naming.provider.url=ldap://example.com:389/DC=example,DC=com
# Windows username for user to browse LDAP
java.naming.security.principal=RealUsername
# Windows password for user to browse LDAP
java.naming.security.credentials=User'sPaSsWorD
# Root note containing all the LDAP users (full entry DN is "CN=Users,DC=example,DC=com")
teamcity.users.base=CN=Users
# filtering only users with specified name and belonging to LDAP group "Group1" with DN "CN=Group1,CN=Users,DC=example,DC=com"
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=example,DC=com))
# retrieving TeamCity username form the "sAMAccountName" LDAP entry attribute
teamcity.users.username=sAMAccountName
# Allow only username part without domain
teamcity.auth.loginFilter=[^/\\\\@]+
# No synchronization, just login.
teamcity.options.users.synchronize=false
teamcity.options.groups.synchronize=false
Active Directory With User Details Synchronization
Users can log in into TeamCity with their domain name without domain part, there is an account "teamcity" with password "secret" that can read all Active Directory entries. TeamCity user display name and email are synchronized from Active Directory.
java.naming.provider.url=ldap://example.com:389/DC=example,DC=com
# Login using 'sAMAccountName' value.
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
# LDAP credentials for TeamCity plugin.
java.naming.security.principal=CN=teamcity,CN=Users,DC=example,DC=com
java.naming.security.credentials=secret
# User synchronization: on, synchronize display name and e-mail.
teamcity.options.users.synchronize=true
teamcity.users.base=CN=users
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
# Group synchronization: disabled.
teamcity.options.groups.synchronize=false
Active Directory With Group Synchronization
java.naming.provider.url=ldap://example.com:389/DC=example,DC=com
# Allow to enter anything, but after that format it into 'EXAMPLE\login'.
teamcity.auth.formatDN=EXAMPLE\\$login$
# LDAP credentials for TeamCity plugin.
java.naming.security.principal=teamcity
java.naming.security.credentials=secret
# Synchronize both users and groups. Remove obsolete TeamCity users, but don't create new ones automatically.
teamcity.options.users.synchronize=true
teamcity.options.groups.synchronize=true
teamcity.options.createUsers=false
teamcity.options.deleteUsers=true
teamcity.options.syncTimeout=3600000
# Search users from the root: 'DC=example,DC=com'.
teamcity.users.base=
teamcity.users.filter=(objectClass=user)
teamcity.users.username=sAMAccountName
# Search groups from 'CN=groups,DC=example,DC=com'.
teamcity.groups.base=CN=groups
teamcity.groups.filter=(objectClass=group)
teamcity.groups.property.member=member
Last modified: 20 April 2023