How do I restrict teamcity.users to members of an Active Directory (LDAP) group?

Question

I'm trying to restrict TeamCity users to members of a specific AD group (FNC_TEAMCITY_USERS). LDAP user synchronisation was already working. In my ldap-config.properties I changed this:

teamcity.users.filter=(objectClass=user)

to this:

teamcity.users.filter=(&(objectClass=user)(memberOf=CN=FNC_TEAMCITY_USERS,OU=Groups,DC=group,DC=ourdomain,DC=com))

I restarted the TeamCity service and this change had no effect. All AD users can still log in to TeamCity. I tried this on both our 6.5 instance and our 7.0 (EAP) instance.

Is there something I've missed or is this a bug?

Answer 1

The property limiting users who can login into TeamCity is "teamcity.users.login.filter". Try setting it instead of "teamcity.users.filter".

"teamcity.users.filter" is the one affecting users synchronization (particularly creating users in TeamCity for users in LDAP).

Be sure to have "java.naming.security.principal" and "java.naming.security.credentials" correctly specified as they are required for "teamcity.users.login.filter" use.