Query Active Directory/LDAP, find users in nested organizational unit

Christian Specht picture Christian Specht · Nov 29, 2012 · Viewed 26.7k times · Source

I'm configuring LDAP authentication in TeamCity 7.1.2 in a Windows domain (Active Directory).

Basically it works (I can log in with my domain user!), but every user in the whole company can log in.
--> Now I'm trying to restrict access to the developers only.

I found this example in the TeamCity docs:

# filtering only users with specified name and belonging to LDAP group "Group1" with DN "CN=Group1,CN=Users,DC=example,DC=com"
teamcity.users.login.filter=(&(sAMAccountName=$capturedLogin$)(memberOf=CN=Group1,CN=Users,DC=example,DC=com))

So I just need to replace CN=Group1,CN=Users,DC=example,DC=com with the the LDAP group where my user is.
But querying LDAP is completely new to me, so I'm not able to figure out the right syntax.

My user is here:

Active Directory screenshot

So it's:

CompanyName.de/CompanyName/IT/Entwickler/

"CompanyName", "IT" and "Entwickler" are organizational units.
I understand that the syntax would be:

OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de

When I put that into TeamCity's config file, I can't log in and TeamCity writes this to its log files:

Search in LDAP: base='DC=CompanyName,DC=de', filter='(&(sAMAccountName=MyUser)(memberOf=OU=Entwickler,OU=IT,OU=CompanyName,DC=CompanyName,DC=de))', scope=2, attributes=[sAMAccountName, distinguishedName] resulted in error

and:

Login for user "MyUser" failed: javax.security.auth.login.LoginException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'DC=CompanyName,DC=de'

What am I doing wrong?

NOTE:
It might be possible that my query is correct, and this is an issue in TeamCity.
(the version that I'm using does have some issues concerning LDAP, but they get other error messages than I do)
Maybe I will post this on TeamCity's issue tracker, but before I wanted to make sure that the error doesn't occur because I've got the LDAP query wrong, hence the question here.

Answer

Sean Hall picture Sean Hall · Nov 29, 2012

memberOf is looking for a group, not an OU. You should create a group to restrict access, add the appropiate users to the group, and specify the group's distinguished name in the filter. You should note that the simple 'memberOf={DN}' filter does not take into account nested group membership.

Edit: If you really want to restrict it to users in the OU, then you need to change the base DN of the search to the OU, and take out the memberOf parameter to the search.