License Server Help

Configuring user restrictions

The administrator of the License Server can use machine username, hostname or product to limit a user's access to a license. Since build #17768 there is also an option to limit access for specific product builds. Since JetBrains License Server reads the access config dynamically (once in a minute); no need to restart the application when changes in access rules are added. Since build #17768 there is also LDAP integration. Since build #18692 there is IP as filter parameter for access rules. Parameters are case-sensitive ("hostName", "userName, "ip").


A whitelist describes the restrictions imposed on the users who are allowed to obtain licenses from a license server. If the whitelist configuration is empty, any person can obtain a license from the license server, if not listed in the blacklist section. Otherwise, only users who meet the requirements described in the whitelist are allowed to obtain licenses.


A blacklist describes the restrictions imposed on users who are prohibited from obtaining licenses from the license server. If the blacklist configuration is empty, all users described in the whitelist configuration are allowed to obtain licenses. Otherwise, users who meet the criteria described in the blacklist can't get a ticket for an IDE.


To configure user restrictions, create a file and describe the access rules in the following format in .json file (test example):
{ "whitelist": [ { "product": "(II|RSU|CL)", "userName": "windowsuser.*", "hostName": ".*", "ip": "" }, { "product": "RC", "buildNumber": "2011\\.2\\..+" } ], "blacklist": [ { "product": "DB", "userName": "windowsuser12", "hostName": ".*" } ] }
where "product" is a product code of the IDE requested by user, "userName" is a username set up on the machine where the product is used, "hostName" is a host of the machine where the product is used and "buildNumber" is the version of the product. These parameters accept regular expressions. To configure your license server to use the configuration JSON file:

MSI distribution

ZIP distribution

  1. Stop the JetBrains License Service.

  2. Set the path to the configuration file by running <license_server_home>\apps\license-server\bin\license-server.bat configure --access.config=file:/path-to-configuration-file/access-config.json, where access-config.json is the configuration file with the restrictions specified as described above.

  3. Start the JetBrains License Service.

  1. Stop the license server.

  2. Set the path to the configuration file by running <license_server_home>/bin/ configure --access.config=file:/path-to-configuration-file/access-config.json for Linux and Mac OS X or <license_server_home>\bin\license-server.bat configure --access.config=file:/path-to-configuration-file/access-config.json for Windows, where access-config.json is the configuration file with the restrictions specified as described above.

  3. Start the license server.

LDAP integration

LDAP integration should be enabled in the access rules config, the same where we add black or whitelists rules. The only restrictions used in this module is "the username in the license request must be the same as in LDAP records for this user".

LDAP configuration

To configure user restrictions, create a file and describe the integration in the following format in .json (or edit existing access config) file:

{ "ldap" : { "openLdap1": { "url": "ldap://", "masterDn": "", "password": "", "useSSL": false, "connectionTO": 20000, "responseTO": 30000, "minPoolSize": 1, "maxPoolSize": 5 } }, "whitelist": [ { "product": "IDEA", "ldap": "openLdap1", "matchCondition": "(&(objectCategory=user)(uid=${userName}))" } ] }
Also, more than one filter is possible:
"matchCondition" : "(&(objectClass=user)(sAMAccountName=${userName})(memberOf=))"

In this example the first section describes integration parameters (will be used for the connection). If the integration is configured correctly during the license server's start there will be output (also in license-server-stdout.log):

INFO BlockingConnectionPool:326 - pool initialized [org.ldaptive.pool.BlockingConnectionPool@561062202::name=null, poolConfig=[org.ldaptive.pool.PoolConfig@1540665329::minPoolSize=1, maxPoolSize=5, validateOnCheckIn=false, validateOnCheckOut=true, validatePeriodically=true, validatePeriod=15, validateTimeout=5000], activator=null, passivator=null, validator=[org.ldaptive.pool.CompareValidator@732826732::compareRequest=[org.ldaptive.CompareRequest@232766788::compareDn=, attribute=[objectClass[top]], controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@630142260::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@1541061971::provider=org.ldaptive.provider.jndi.JndiProvider@4 connectTimeout=20000, responseTimeout=30000, sslConfig=null, useSSL=false, useStartTLS=false, bindSaslConfig=null, bindControls=null]]], initialized=true, availableCount=1, activeCount=0]

In whitelist section there is a product and "matchCondition" rule. In this example, IDEA license will be granted only to users with usernames found in LDAP config. JetBrains License Server compares the username in the "obtainLicense" request sent by a product with usernames found in LDAP


If you have configured the restrictions but they do not work, there are two possible reasons why that might be happening.

Case #1

JetBrains License Server tries to apply the access configuration file during start/restart. If the file is not found or has a syntax error, it will be skipped.

How to troubleshoot

When starting the license server you see:

  • a) the file is not found: /path-to-the-file/access-config.json (No such file or directory)
    Solution: check the path to the file specified in conf/ The easiest way to compare this path with the real file's location is to paste it into a browser. Fix the path and restart the license server process.

  • b) if the file has a syntax error:
    ERROR e:62 - Failed to parse config located at file:/path-to-the-file/access-config.json
    with an error description, for example:
    com.fasterxml.jackson.databind.JsonMappingException: Unexpected character (']' (code 93)):
    Solution: check the syntax is correct and restart the process. It's easy to check the syntax with The JSON Validator

These errors are also shown in license-server-stdout.log. http(s)://your-license-server-web-page/check-configuration shows where logs and config files are located on your copy of the license server.

Case #2

LicenseRequest sent by a user doesn't match the restriction rules.

How to troubleshoot

Compare the request from logs/license-server-stdout.log with the rules. It may differ from the hostname, product, or build version.


  1. { "blacklist": [ { "product": "RS 2017.3", "userName": "(username1|username3|katya)", "hostName": } ] }

    In this case, a user WILL GET a license if:

    • The hostname is not;

    • Or username is not listed;

    • Or username is like katya123;

    • Or username is like username333;

    • Or product is not ReSharper;

    • Or product is ReSharper but 2017.2 / 2016.1 and so on.

  2. { "whitelist": [ { "product": "RS 2017.3", "userName": "(username1|username3|katya)", "hostName": "" } ] }

    A user WILL NOT GET a license if:

    • They are among (username1|username3|katya), but hostname differs;

    • Or the user asks for anything but ReSharper;

    • Or for ReSharper but not version release 2017.3

    • Also, nothing will be available for other users although there is no separate blacklist section.

  3. { "blacklist": [ { "product": "II 2017.2", "userName": "(username1|username2)" } ], "whitelist": [ { "product": "GO 2017.3", "userName": "(username3|username4|katya)" } ] }

    In this case:

    • username1 and username2 - as well as users not listed in any section at all - will not get any license, because priority is given to whitelist rule.

    • If you need to restrict the access to anybody but (username3|username4|katya) and allow other users to keep on using other products - you need to remove the whitelist section and add a new one to the blacklist. To match users use regular expressions,e.g.:

      "product": "GO 2017.3", "userName": "((?!username3|username4|katya).)*"
      this rule will reject requests from all users who are not matched by usernames.

Priority lists

Priority list is a separate section, it has the same format as black or whitelist - it must contain either username, or hostname, or both. In the last case, the server will check strict matching for the pair.

{ "prioritylist": [ { "userName": "kate" } ] }

The algorithm of licenses requests handling if the access configuration file has the priority section:

  1. If there are available licenses on the server suiting an IDE request and a user is not blacklisted - the IDE gets the ticket subject to standard procedure.

  2. If there are no available licenses but the user is listed in the priority section - the floating server revokes one of the already occupied licenses and will grant it to the prioritized user. By default, the ticket whose "last-seen" is the oldest, will be revoked. This mechanism is not configurable.

Products codes

Here you can find our products code:

  • "code": "AC" = AppCode,

  • "code": "CL" = CLion,

  • "code": "DB" = DataGrip,

  • "code": "DC" = dotCover,

  • "code": "DM" = dotMemory,

  • "code": "DP" = dotTrace,

  • "code": "II" = IntelliJ IDEA,

  • "code": "PC" = PyCharm,

  • "code": "PS" = PhpStorm,

  • "code": "RM" = RubyMine,

  • "code": "RS0" = ReSharper,

  • "code": "RSU" = ReSharper Ultimate,

  • "code": "RC" = ReSharper C++,

  • "code": "RD" = Rider,

  • "code": "GO" = GoLand,

  • "code": "WS" = WebStorm

Last modified: 16 January 2019