Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0


TeamCity stores user details and settings in its own database. Refer to #Synchronization section below for information on ability to retrieve common user properties from LDAP.


LDAP synchronization allows to:

  • Retrieve user's profile data from LDAP
  • Update user groups membership based on LDAP groups
  • Automatically create and remove users in TeamCity based on information retrieved from LDAP

Periodically, TeamCity fetches data from LDAP and updates users in TeamCity. You can review the last synchronization run statistics and schedule new synchronization in LDAP Synchronization section of server settings.


Note that if any of these properties are not set, or cannot be applied, the username isn't changed (the input login name is used).

Wiki Markup


to review: may need to add something from this text:
** If there is a user in LDAP group, but no corresponding one in TeamCity group, a new TeamCity user is created and added to the group
** If there is a user in TC group, but no corresponding one in LDAP group, the user is unassigned from the group, or possibly removed from TeamCity, depending on if it is present in LDAP
** If a group in LDAP contains a subgroup, but the corresponding TeamCity group does not, the corresponding subgroup is added. This operation may not be applied in case of cyclic group inclusion
** If a group in TeamCity contains a subgroup, but LDAP group does not, a TeamCity subgroup is removed (unassigned) from the group
* All the mapped groups, both in TeamCity and LDAP, should exist. Otherwise, the synchronization for that particular pair will not work, and an error will occur.
* The synchronization and automatic user creation and/or removal can be disabled using an option (see example below).

Example LDAP configuration file ({{}}):
# The url(s) of LDAP server (mandatory).

# Login filter and formatter: allow user to login to TeamCity passing 'uid' to the login
# form, while the actual authentication is performed with full DN as shown below.

# The credentials: name/password of user which will retrieve information from LDAP.
# The user must have a read access to all LDAP entries under 'teamcity.users.base' and
# 'teamcity.groups.base' (see below).
# These values are not used in login, only in synchronization.
# You can specify any other "java.naming" option if you like.

# Synchronization options.

# The user base DN. Users are retrieved only from the subtree denoted by this DN.
# May be empty (in this case the root DN specified above is used).

# The user search filter. (external link for more details: [])

# The LDAP attributes that correspond to username, display name (full name) and e-mail.

# The custom user property. All custom properties must be prefixed with "",
# the suffix "plugin:notificator:jabber:jabber-account" is TeamCity user property,
# "jabberAccount" is the name of LDAP attribute.
# More TeamCity user properties examples:
#   plugin:notificator:email:e-mail
#   plugin:vcs:svn:anyVcsRoot
#   plugin:vcs:cvs:anyVcsRoot

# Similar settings for groups retrieval.

# The attribute that indicates the member of the group.
Example LDAP group mapping ({{ldap-mapping.xml}}):
<!DOCTYPE mapping SYSTEM "ldap-mapping.dtd">
 <group-mapping teamcityGroupId="GROUP1" ldapGroupDn="CN=Developers,CN=Users,DC=Example,DC=Com"/>
 <group-mapping teamcityGroupId="GROUP2" ldapGroupDn="CN=Domain Admins,CN=Users,DC=Example,DC=Com"/>

Debugging LDAP Integration