TeamCity 2.1 Help

Authentication Settings

Out-of-the-box TeamCity supports three Basic Concepts:

Active authentication scheme is Configuring Authentication Scheme in the auth-type section of the main-config.xml file located in the Basic Concepts/config directory, for example:

<auth-type> <!-- Active login module class, see below --> <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) --> <free-registration allowed="false" /> </auth-type>

To change the authentication scheme, edit the class attribute of the login-module tag. Built-in login modules are:

  • jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule for Default Authentication

  • jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule for NT Authentication

  • jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule for LDAP Authentication

TeamCity extensibility note: Any implementation of javax.security.auth.spi.LoginModule can be used, provided it is registered via jetbrains.buildServer.serverSide.auth.LoginModuleDescriptor bean.

Use <guest-login allowed="true|false"/> to toggle the anonymous login on and off.

Configuring the Login Modules

Default Authentication

Configuration of Basic Concepts/config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.DefaultLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> <!-- Allow users to self-register (only for modules which support this feature, e.g. DefaultLoginModule) (true|false) --> <free-registration allowed="true" /> </auth-type>

Users database is maintained by TeamCity. New users are added by TeamCity administrator (in administration area Configure User Account) or user are self-registered if <free-registration allowed="true" /> tag is specified.

NT Authentication

Configuration of Basic Concepts/config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.NTDomainLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are allowed (true|false) --> <guest-login allowed="true" /> </auth-type>

This scheme requires that TeamCity server is installed under Windows 2000, Windows XP or Windows Server 2003.

All NT domain users that can log on to the machine running TeamCity server can also login into TeamCity using the same credentials. i.e. to login to TeamCity users should provide user name in the form DOMAIN\user.name and their domain password.

LDAP Authentication

Configuration of Basic Concepts/config/main-config.xml:

<auth-type> <login-module class="jetbrains.buildServer.serverSide.impl.auth.LDAPLoginModule" /> <!-- Welcome message displayed to users on login form --> <login-description>Welcome to TeamCity, your team building environment!</login-description> <!-- Whether anonymous "view-only" logins are supported --> <guest-login allowed="true" /> </auth-type>

Authentication is performed by direct login into LDAP with credentials entered into the login form.

Environment for initial context is initialized with java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory and then all properties from .BuildServer/config/ldap-config.properties file are loaded (see http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html for more info on property names and values).

Use the LDAP explorer to browse LDAP directory and verify the settings (i.e.http://www.jxplorer.org/).

Specifying the Active Directory

Use following template to authenticate against active directory:

java.naming.referral=follow java.naming.provider.url=ldap://main.labs.intellij.net:389/CN=users,DC=Labs,DC=IntelliJ,DC=Net java.naming.security.authentication=simple

By default login format is restricted to DOMAIN\sAMAccountName (i.e. "LABS\alexey.gopachenko"). But since version 2.1 you can override this restriction by adding property loginFilter, value is java.util.RegEx expression to match against. (I.e. loginFilter=.+ will accept any non-empty login).

You can also specify multiple servers using the following pattern:

java.naming.provider.url="ldap://ldap.mycompany.com:389 ldap://ldap2.mycompany.com:389 ldap://ldap3.mycompany.com:389"

Last modified: 20 April 2023