This is a short howto to get you going with your LDAP setup for TeamCity. I personally struggled for quite a bit, before I managed to get the synchronisation to run. The default config files has a lot of settings and text, which may be more confusing than helpful. A lot of posts about issues setting up group sync can be seen at both JetBrains and StackOverflow.
This setup assumes you don't have a nested group for importing members, but single groups. If you want to use a nested group for TeamCity, then look at the "Limiting the number of groups to by synchronized" section at https://www.jetbrains.com/help/teamcity/typical-ldap-configurations.html?_ga=2.213872598.374019039.1565610915-964155662.1565610915
Change the teamcity.users.filter accordingly.
teamcity.users.filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=TeamCity Users,OU=Accounts,DC=domain,DC=com))
JetBrains prefers that you have a nested group where the top node is your TeamCity group. However that's not how I wanted to setup the sync at the moment.
Assumptions
You have read the guide https://www.jetbrains.com/help/teamcity/ldap-integration.html
You have an Active Directory user (or better: ServiceAccount) which can connect to LDAP with username / password
You can login with LDAP, but you have no clue on how to get the group membership sync to work.
Here's how I setup TeamCity LDAP config files to synchronize AD Groups:
ldap-config.properties file
java.naming.provider.url=ldap://<your server or domain>:3268/DC=YOUR,DC=Domain,DC=Here
java.naming.security.principal=<username>
java.naming.security.credentials=<password>
teamcity.users.login.filter=(sAMAccountName=$capturedLogin$)
teamcity.users.username=sAMAccountName
### USERS SETTINGS ###
teamcity.options.users.synchronize=true
teamcity.users.filter=(objectClass=user)
teamcity.users.property.displayName=displayName
teamcity.users.property.email=mail
# Automatic user creation and deletion during users synchronization
teamcity.options.createUsers=true
teamcity.options.deleteUsers=true
### GROUPS SETTINGS ###
# These settings are mandatory if groups synchronization is turned on (ldap-mapping.xml exists)
# Set to "true" to enable the synchronization for groups listed in ldap-mapping.xml file.
# IMPORTANT NOTE: TeamCity groups should be already created manually and listed in ldap-mapping.xml file.
teamcity.options.groups.synchronize=true
# The group search LDAP filter used to retrieve groups to synchronize.
# The search is performed inside the LDAP entry denoted by "teamcity.groups.base". The result should include all the groups configured in the ldap-mapping.xml file.
teamcity.groups.filter=(objectClass=group)
### OPTIONAL SETTINGS ###
# The time interval between synchronizations (in milliseconds). By default, it is one hour.
teamcity.options.syncTimeout=3600000
# The LDAP attribute of a group storing it's members.
# Note: LDAP attribute should contain the full DN of the member, one attribute per member. See also "teamcity.users.property.memberId".
teamcity.groups.property.member=member
Note: I use port 3268 not 389, that's because the default port made TeamCity incredibly slow at login. It took in most cases 5 minutes to login with 389 compared to 3268 which made it instantly.
ldap-mapping.xml file
<!DOCTYPE mapping SYSTEM "ldap-mapping.dtd">
<mapping>
<!-- Example mapping entry:
<group-mapping teamcityGroupKey="GROUP" ldapGroupDn="CN=Group,DC=Example,DC=Com"/>
-->
<group-mapping teamcityGroupKey="YourGroupKey" ldapGroupDn="CN=<DNName>" />
</mapping>
Powershell and RSAT
To get the Distinguished name for each group I've added, I've used a computer installed with RSAT (Remote Server Administration Tools) https://www.microsoft.com/en-us/download/details.aspx?id=45520. The RSAT adds some Active Directory functions to powershell which makes it easier to get the LDAP settings you need.
The powershell command:
get-adgroup <Group name> -properties *
Add the DistinguishedName to the ldapGroupDn field in the ldap-mapping.xml file along with the teamcityGroupKey and you should be ready to go.