Active Directory Setup forWindchill 9.1 Ajay Valvi [email protected] Document Properties File Name Status 261498586.doc Released Change History Date Author Version Change Reference OCT/08/2009 Ajay Valvi 0.1 Draft NOV/30/2009 Ajay Valvi 1.0 Released Accepted By Accepted By: Approval Date Hemant Shadra NOV/30/2009 Comments CONFIDENTIAL - PTC PROPRIETARY 261498586.doc Last printed Jul/01/2009 | Page 2 of 22 Connecting to Active Directory-----------------------------------------------------11 6.2. Retargeting procedure-----------------------------------------------------------------16 Appendix------------------------------------------------------------------------19 Sample Summary.2.Table of Content 1. Configuring Apache to connect to EnterpriseLDAP--------------------------------14 6.1.3.txt file-------------------------------------------------------------20 LDAP Browser login sequence---------------------------------------------------------------21 External References----------------------------------------------------------22 CONFIDENTIAL . Updating EnterpriseLDAP Adapter to connect to Active Directory--------------11 6.2.1. Setting authentication in MapCredentials.doc Last printed Jul/01/2009 | Page 3 of 22 .1.xml file--------------------------------------------20 Sample mapCredentials.1.htm File-------------------------------------------------------------------19 Sample app-Windchill-AuthProvider. Introduction-----------------------------------------------------------------4 2.1.1. Understanding Windchill and LDAP Directory Service-------------4 4.1.2. Assumptions-----------------------------------------------------------------4 3.1. Enabling Active Directory Integration during New Installation---7 5. Testing the configuration--------------------------------------------------------------10 6.1. Required Inputs from Active Directory---------------------------------------------5 5. Enabling Active Directory Integration with Windchill--------------5 4. Retargeting Users----------------------------------------------------------------------14 6.PTC PROPRIETARY 261498586. Enabling Active Directory Integration for Existing Windchill Instance--------------------------------------------------------------------11 6.xml file--------------------------------14 6. Specifying user organization-----------------------------------------------------------9 5.3. repeatedly. Introduction The purpose of this document is to provide information to the consultant about the specific configuration involved to set up an Active Directory Integration with Windchill 9.Advanced.1. Active directory can be integrated with a Windchill instance during a new installation or with an existing Windchill Instance. in a controlled test environment to insure that they are functioning as desired before executing them in a production. When an existing instance of Windchill is integrated with an existing instance of Active Directory. PTC bundles an LDAP directory service with Windchill. the users from Aphelion must be retargeted to the Active Directory such that Windchill maintains to use the Active Directory references. Assumptions This document introduces you to the required steps for configuring Active Directory integration with Windchill 9. It is strongly recommended that before performing any of the modifications to the Aphelion LDAP or database. Note Windchill 9. This document covers the following topics: Enabling Active Directory Integration for a New Windchill Instance Enabling Active Directory Integration for an Existing Windchill Instance Retargeting Users This document should be used as a reference for configuring Active Directory integration with Windchill 9. Windchill releases before 9. This document assumes that the consultant has a good understanding of Windchill System Administration and a basic understanding of LDAP structure and Active Directory.1.1. an alternative to Aphelion directory server.1 CONFIDENTIAL . Store application-specific configuration information to Windchill. The LDAP that is bundled can be leveraged for both purposes or solely for managing the application-specific information.1.PTC PROPRIETARY 261498586. however. the consultant should contact tech support for more direct assistance and guidance in their efforts with the LDAP. 2. Windchill has no specific limitation as to the number of LDAP instances that are integrated with Windchill for user and group administration. 3.doc Last printed Jul/01/2009 | Page 4 of 22 . It is strongly recommended that any of these techniques be tested.1 M030 introduces new LDAP Directory Server Option (Windchill DS powered by OpenDS Technology).0 and 9. it is imperative that the consultant refers to the ‘Configuring Additional Enterprise Directories’ section from the Windchill Installation and Configuration Guide . Understanding Windchill and LDAP Directory Service Windchill utilizes an LDAP directory service or multiple LDAP directory services for two purposes: Provide user and group administration. The steps mentioned in this document are applicable to all releases of Windchill 9.1 M030 used Aphelion as a part of the bundled LDAP directory service. In PDMLINK 8. Active directory can be integrated with a Windchill instance during a new installation or to an existing Windchill Instance. Both the methods have been explained later in this document. Connecting to Active Directory during installation Specifying user organization (optional) Editing JNDI entry to change search scope 4. or delete entries in an ADS directory.Various configurations have been utilized to satisfy a variety of customers’ requirements. these must be stored in Aphelion that provides full access to Windchill.1. 4. As a result. CN=Users.DC=com Enterprise Repository LDAP User Distinguished Name or Directory System Agent User Description The distinguished name of an existing ADS user Example CN= Bind User. we don’t have to create any new adapter or repository. Required Inputs from Active Directory Before starting with any installation or configuration activities.EnterpriseLdap). not ADS.ptc.example. Users and groups under this subtree will be visible to Windchill Example CN=Users. Enabling Active Directory Integration with Windchill While installing a new Windchill instance.ptcnet. But in PDMLINK 9. If the customer is already using Active Directory Server (ADS) as enterprise LDAP service. Therefore. Windchill must have the ability to update group information and organization information. it is implied that the Groups are stored in Aphelion and Users are maintained in the Active Directory. the following three steps are required.PTC PROPRIETARY 261498586. Windchill cannot create. one to maintain groups and the other for Users in support of Windchill. during the configuration a new custom adapter has to be created for LDAP integration. in this scenario you would maintain two different LDAP directories.DC=com or user@domain Enterprise Repository LDAP Password or Directory System Agent Credentials CONFIDENTIAL .DC=example.doc Last printed Jul/01/2009 | Page 5 of 22 . modify. When considering Active Directory integration with Windchill. An Active Directory integration with Windchill is a read-only configuration.0 and later versions. The EnterpriseLdap adapter is defined such that it enables a site to easily connect to an existing Corporate LDAP to allow existing corporate users to be validated for Windchill use. Windchill can query entries in ADS using a JNDI adapter. Windchill can be integrated with ADS such that the user information is maintained in the existing ADS directory. Inputs from Active Directory Enterprise Repository LDAP Server Host Name Description Host name to connect to the Microsoft Active Directory Service (ADS) Server Example seha074. following is the minimum required information that needs to be obtained to connect to an Active Directory.0. One such requirement is to integrate Windchill with an already existing Active Directory Server (ADS) for both authentication and account management. therefore.DC=example. we can use the existing adapter that is created OOTB (for example com.com Search Base or Base Distinguished Name for Enterprise Users Description The distinguished name of an LDAP subtree under which Enterprise LDAP entries reside. This means Windchill cannot be used to administer user information in ADS (standard Microsoft administration tools must be used instead). <Password_for_Bind_User> Enterprise Repository LDAP Server Port Description Port to bind to the Active Directory Server Always use 3268 for the port when configuring Windchill with Active Directory. If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition. Subtree search seems to work better with 3268. rather than the default LDAP port (i.doc Last printed Jul/01/2009 | Page 6 of 22 .Description Enter the password of the specified user . If you bind to port 3268. your search includes all directory partitions in the forest.e. port 389). Verify the port number with the Customer’s System Administrator The following flowchart helps to visualize the steps involved in Active Directory Integration CONFIDENTIAL .PTC PROPRIETARY 261498586. However.DC=example. in Active Directory where the users and groups reside.1 2.1.1. Select the Enable Separate Enterprise LDAP Server check box to enable it o On selecting this check box. CONFIDENTIAL . 5.doc Last printed Jul/01/2009 | Page 7 of 22 .DC=com") if you have users in different nodes.DC=com You can set the Search Base to the root (i. Enter the Base Distinguished Name for Enterprise Users o You need to mention the ‘distinguished name’ of the LDAP subtree. the next screen displays JNDI Adapter Settings page to specify the settings for the separate LDAP server. LDAP settings page On the LDAP settings page.PTC PROPRIETARY 261498586.1. also called the search base. o For Example : CN=Users.5. Enabling Active Directory Integration during New Installation During installation. Note For more information refer to the 'Entering Your LDAP Settings' section in the Windchill® Installation and Configuration Guide — Advanced. "DC=example. Windchill 9. you must perform the following two settings: 1.e. Active Directory specific information needs to be entered on various PSI pages. setting the Search Base to the root might result in poor performance. Ensure the Enable Separate Enterprise LDAP Server check box is enabled else the next page won’t display the JNDI settings page. Enter the fully qualified hostname of the Microsoft Active Directory Service (ADS) Server in the ‘Enterprise Repository LDAP Server Host Name’ text field.e. Select the Bind as User radio button for LDAP Connection type. 3. always use 3268 for the port rather than the default LDAP port (i.3.DC=com 6. the Windchill Administrator must be created in the Administrative LDAP. Select the Groups check box. Since Windchill has Read Only access to the Active Directory. select the Administrative radio button option for ‘Select the Repository Where the Site Administrator is Stored’ setting.1. Enter the password for the specified user in the ‘Enterprise Repository LDAP Password’ text field. 4. JNDI settings page On the JNDI settings page. CN=Users.PTC PROPRIETARY 261498586.2.1. port 389). enter the following information: 1. Enter 3268 in the ‘Enterprise Repository LDAP Server Port’ text field. 5. 8.1. o When configuring Windchill with Active Directory.DC=example. 5.1. Core Product Settings page On the Core Product Settings page. o For Example : CN= Bind User. Select the Active Directory Service (ADS) radio button as LDAP service. Enter the distinguished name of an existing ADS user in the ‘Enterprise Repository LDAP User Distinguished Name’ text field. 5. and ensure that the Users check box is enabled as well.doc Last printed Jul/01/2009 | Page 8 of 22 . 7. CONFIDENTIAL . doc Last printed Jul/01/2009 | Page 9 of 22 .PTC PROPRIETARY 261498586.1.5. the EnterpriseLDAP Adapter must be modified to include an additional property. CONFIDENTIAL . Specifying user organization In order to assign an initial organization name to a user. Navigate to Info*Engine Administrator page from Site > Utilities > Info*Engine Administrator.2. Add the usersOrganizationName custom property to set the initial organization name for all users accessed through the EnterpriseLDAP Adapter. Log on by entering cn=Manager and the appropriate password. Testing the configuration Search and add Active Directory users and groups to various roles. Members.test. Refer to the "Setting the User Organization" section in the Windchill Installation and Configuration Guide — Advanced for more information about the need for setting this property o Click OK to complete the modification to the Adapter. Edit the Adapter to change the LDAP search scope and add an additional property o Select the drop down list for LDAP Search Scope and set it to SUBTREE.PTC PROPRIETARY 261498586. 5. Guests. Select the JNDI adapter by the name com.This property associates an initial organization name to the user.mapping. in test products and libraries. Select OK again on the confirmation window..doc Last printed Jul/01/2009 | Page 10 of 22 .EnterpriseLdap. o Enter 'com.<example>.1. CONFIDENTIAL .usersOrganizationName' in the Property text field and '<OrganizationName>' in the Value text field and click the Add button.windchill. such as Product Creators.EnterpriseLDAP to open the Property Editor page. Log on as new users and create products and documents to verify successful login and object creation abilities. etc.example.3. example.EnterpriseLDAP to open the Property Editor page.DC=example.CN=Users. 4. 6. Navigate to the Info*Engine Administrator page from Site > Utilities > Info*Engine Administrator.example. setting the Search Base to the root might result in poor performance. Though the retargeting users is done after making the configuration changes to connect to Active Directory. "DC=example.doc Last printed Jul/01/2009 | Page 11 of 22 .PTC PROPRIETARY 261498586. 6.jndi. it is important to understand and analyze the effort and complexities involved before starting the configuration changes. 2.com:3268 Directory System Agent User CN=Bind User.xml file. Second is to be able to retarget the existing users from Aphelion to the Active Directory so that next time the users login they are maintained and authenticated against the Active Directory Before starting with any configuration activity.DC=example.DC=com") if you have users in different nodes. 3. two aspects should be considered while adding an additional Enterprise Directory: First is connecting to a Corporate LDAP like Active Directory to Windchill so that one can add users and groups from Active Directory to Windchill.1. Connecting to Active Directory Connecting to Active Directory involves the following three steps: Update EnterpriseLDAP Adapter to connect to Active Directory. JNDI Adapter Property Value Service Name com. Set Authentication in MapCredentials.example. However.EnterpriseLdap Runtime Service Name com. it is necessary that one reads through the Retargeting Users section. collect the required information as mentioned in the “Required Inputs from Active Directory” section 1. Edit the following Adapter properties settings. Log on by entering cn=Manager and the appropriate password.1. LDAP Search Scope SUBTREE CONFIDENTIAL . Configure Apache to connect to EnterpriseLDAP. Updating EnterpriseLDAP Adapter to connect to Active Directory Before you start updating the EnterpriseLDAP.DC=com Directory System Agent Credentials <Password_for_Bind_User> Search Base CN=Users. Port Leave it Blank Provider Url ldap://activedirectoryhost.<example>.JNDIAdapterImpl Host . Enabling Active Directory Integration for Existing Windchill Instance For an existing instance of Windchill.1.DC=com You can set the Search Base to the root (i.EnterpriseLdap Service Class com. Select the JNDI adapter by the name com.6.e.infoengine. mapping.EnterpriseLdap.example.PTC PROPRIETARY 261498586.windchill.windchill.mail mail com.user.mapping.test.windchill.EnterpriseLdap.postalAddress postalAddress com.test.description description *com.mapping.user.mapping.example.example.EnterpriseLdap.mapping.windchill.doc Last printed Jul/01/2009 | Page 12 of 22 .EnterpriseLdap.o company *com.mapping.EnterpriseLdap.test.test.EnterpriseLdap.test.user.example.user.mapping.mapping.windchill.mapping.test.windchill. Add the following Adapter properties one by one in the Additional Properties section Additional Properties Value com.example.user.example.sn sn com.mapping.group.mapping.uniqueIdAttribute **sAMAccountName CONFIDENTIAL .example.windchill.windchill.user.example.example.test.facsmileTelephoneNumber facsmileTelephoneNumber *com.windchill.mapping.test.windchill.example.objectClass group *com.test.example.windchill.EnterpriseLdap.windchill.example.EnterpriseLdap.test.config.test.test.EnterpriseLdap.test.test.uniqueIdAttribute **sAMAccountName com.EnterpriseLdap.mobile mobile *com.directoryType ADS com.windchill.preferredLanguage preferredLanguage com.mapping.EnterpriseLdap.windchill.EnterpriseLdap.uniqueMember member *com.user.test.group.mapping.EnterpriseLdap.EnterpriseLdap.example.user.EnterpriseLdap.9.windchill.example.windchill.config.windchill.mapping.EnterpriseLdap.EnterpriseLdap.user.example.telephoneNumber telephoneNumber *com.test.example.test.group.cn cn com.user.mapping.uid **sAMAccountName *com.readOnly true com.example.objectClass user com.example.example.test.user.group.test.windchill.user.config.EnterpriseLdap.EnterpriseLdap.doesNotContainGroups true com.windchill. com.PTC PROPRIETARY 261498586.test.test.1. 6.userCertificate userCertificate *com.windchill.windchill. The format of the “userPrincipalName” is <sAMAccountName>@<the_domain_name> which guaranties “userPrincipalName” to be unique across all domains. In that case please use the “userPrincipalName”. **If you have an Active Directory forest then the “sAMAccountName” name might not be unique across different Active Directory domains.user.EnterpriseLdap.usersOrganizationName <Windchill_Organization_Name> The * marked properties are mandatory properties. Configuring Apache to connect to EnterpriseLDAP Configure Apache Web Server such that it points to the Active Directory for authentication.mapping.example.2.mapping.EnterpriseLdap. Execute the following command in a Windchill shell and from the Apache load point folder to update the authentication properties: CONFIDENTIAL .example.doc Last printed Jul/01/2009 | Page 13 of 22 . The other properties may or may not be included. test. Retargeting Users For customers who wish to manage users in Active Directory.xml in the Appendix to compare with and verify after making the Apache Configuration Changes.2.xconf and propagate the changes using the Windchill shell.DC=com?sAMAccountName?sub? (objectClass=*)" -DbindDn="CN=BindUser. To access ADS.ptc. This is either done in an effort to utilize a single sign on method or to reduce the administrative overhead of maintaining users in multiple LDAPs.adapters" value="com.DC=test. Retargeting users involves changing the Windchill reference to a user from Aphelion to the corporate Active Directory.DC=com" -DbindPwd="<Password_for_Bind_User>" Note The Ant command must be entered in a single line though it appears to be multiline command To verify if the Ant script has updated the changes appropriately. a proper Bind user must be specified.DC=com^< Password_for_Bind_User>"/> There are chances that these properties already exist.DC=actdirhost.3.ptcnet. Additional properties <AddToProperty name="mapcredentials.xml file The MapCredentials.CN=Users. However.ptc.EnterpriseLdap^CN=BindUser. Moving users from Aphelion to an Active Directory will not include moving the Groups to the corporate LDAP simply based on the volume of the groups that Windchill can create and their relative insignificance to the entire organization. retargeting existing users in Aphelion to Active directory is the most common method for moving users.o ant -f webAppConfig.PTC PROPRIETARY 261498586. 6.doc Last printed Jul/01/2009 | Page 14 of 22 .xml addAuthProvider -DappName=<Windchill_app_name> -DproviderName=EnterpriseLdap -DldapUrl=" ldap:// actdirhost. The DN of the user is also referenced in a multitude of Groups that are also found in the LDAP.Ldap-Pending^cn=Manager^ldappasswd"/> <AddToProperty name="mapcredentials. All data records in Windchill are related to a WTUser. Add the following two properties to the site. compare with the sample mapCredentials. 6. which has a relationship to a specific entry in the database that maintains the user’s DN (Distinguished Name) and LDAP adapter. the default access to the enterprise directory is anonymous.1. Retargeting users essentially involves changing the references of users in Windchill to the newly connected Active Directory instead of Aphelion with the following condition: CONFIDENTIAL .DC=actdirhost.ptcnet.CN=Users. Setting authentication in MapCredentials. If no parameters are added to the MapCredentials file.admin. There are a couple of significant relationships that a user has inside of the data found within Windchill.txt file in the Appendix. Ensure that the values for these properties include the Bind User path and password.DC=example. refer to the sample file of the appWindchill-AuthProvider. it is possible to select and add groups managed in Active Directory in Windchill.admin. To verify if the properties have been propagated appropriately.adapters" value="com.xml file is used to specify the authentication access to a specific Info*Engine adapter.DC=test.com:3268/OU=ptc. a few pre-migration steps need to be performed to ensure that the data to which Windchill expects to have access to is readily available. Refer to the 'Mapping User and Group and Group LDAP Values in an Existing Directory' section in the 'Windchill® Installation and Configuration Guide — Advanced'. CONFIDENTIAL . the consultant should contact Technical support for more direct assistance and guidance in their efforts with the LDAP. The first is sAMAccountName. This document does not provide methods to troubleshoot or correct any discrepancies in the data if the UIDs do not match. Before retargeting users to the corporate Active Directory. Instead there are two attributes that contain the user id (uid) information. In such a case you may have to create a separate JNDI Adapter in order to search for those users or you could still maintain them in the Aphelion or Windchill DS.1.PTC PROPRIETARY 261498586. Retargeting procedure This procedure involves disconnecting the user in Windchill by deleting it from Aphelion and then connecting the disconnected user to the user in Active Directory. create users in the Corporate Active directory. A detailed analysis of both the LDAPs must be done to find out any mismatch. In Aphelion or WindchillDS the UID corresponds to the username. Is the UID of the user in the corporate LDAP equivalent to the ID stored within Aphelion? o If the ID is not the same. most users may no longer be employed. the above condition must be satisfied. Is the DN structure of the corporate LDAP such that you need multiple search base DNs to search for all required users? o It is possible that the customer may provide with multiple search base DNs for users within its Active Directory. which is the uid itself. Refer to the 'Create JNDI Adapter Entry' and 'Create Repository Definition' sections to add additional adapter in the 'Windchill Installation and Configuration Guide — Advanced' Are suppliers and external IDs stored in Aphelion? o Investigate how suppliers are handled in the corporate LDAP. they must have the same UID.doc Last printed Jul/01/2009 | Page 15 of 22 . This means when you configure the JNDI adapter you must provide additional attribute-mapping properties to map the default Windchill user and group attributes to the corresponding user and group and group attributes used by your LDAP directory. a unique JNDI adapter will be required for each DN node. the attributes must be mapped appropriately. which means such users do not need to be retargeted. It is possible that suppliers or external users are stored in a different LDAP server or may be a separate forest is created for them. The second is userPrincipalName. which is the uid with the domain appended (for example user@myco. 6. Out-of-the-box ADS does not have a uid attribute for user objects. If the corporate LDAP is structured such that it has multiple DNs for various users.com). To retarget users.2. o If the users exist in Active Directory. The users in Aphelion already exist in Active Directory. Do all of the users exist in the corporate LDAP? o If some of them do not exist. rename the user in Aphelion to match the entry in the Active Directory LDAP first Does the corporate LDAP use the same attributes as Aphelion? o If not. It is strongly recommended that before performing any of the modifications to the Aphelion LDAP or database. Another method is to replace the DN info within the database with a new DN such that it points to Active Directory. o In some cases. Before starting with the retargeting procedure: Remember that the Administrator (wcadmin) user always stays in Aphelion. Ensure that no users are accessing Windchill during the retargeting procedure.service Enter the following query to review the remoteobjectid values and review the returned results.2. Listing the entries in the database Open Windchill Shell.dbUser.pom. and log onto sqlplus as a database user.1. A similar method should be used to retarget users either one by one or all at a time. 6.pom. CONFIDENTIAL . dbpasswd and Windchill_db_name values can be found in the <WT_Home>\db\db.dbPassword & wt. navigate to <WT_HOME>/db/sql.properties wt. 6. Delete user from Aphelion or Windchill DS Browse through the LDAPBrowser to locate and delete the required user to be retargeted. Take Aphelion and Database backups to restore to the original state if necessary.1.jdbc. select remoteobjectid from remoteobjectid. wt.2.pom. sqlplus <dbuser>/<dbpasswd>@<Windchill_db_name> Note The dbuser.1. Ensure users being retargeted exist in Active Directory and have the same UID as in Aphelion.PTC PROPRIETARY 261498586. The following steps list down the method to retarget a Windchill User ‘pat2’.2.doc Last printed Jul/01/2009 | Page 16 of 22 . The “Find All Disconnected Principals” page lists the deleted user. Click the Maintenance link to open the Disconnected Principals table.1. Click the Search for Disconnected Principals icon. it becomes a disconnected principal in Windchill. Select the user and click OK. Navigate to the Site > Utilities page and click the Principal Administrators link to open the Principal Administrators page. Click the Edit Principal button to edit the disconnected principal address.doc Last printed Jul/01/2009 | Page 17 of 22 .3.2. CONFIDENTIAL . This user must be retargeted to the user in Active Directory.6.PTC PROPRIETARY 261498586. Replace user from the Principal Administrator page Once the user has been deleted from the Aphelion. doc Last printed Jul/01/2009 | Page 18 of 22 . the user is removed from the Disconnected Principals table. CONFIDENTIAL . Select the radio button against the user and click OK. On selecting OK. The user is now retargeted. The results should show the new DN value.’ again. Verify this by running the SQL query ‘select remoteobjectid from remoteobjectid. Search for the user by entering the username of the deleted user and clicking Search on the ‘Associate New User with Disconnected User’ page The search returns the same user from Active Directory.PTC PROPRIETARY 261498586. cn=Windchill_9.test.CN=Users.DC=com Enable Separate Enterprise LDAP Server Yes JNDI Adapter Settings Enterprise Repository LDAP Server Host Name: actdirhost.test.o=adplm Base Distinguished Name for Enterprise Users: CN=Users.o=adplm Base Distinguished Name for Administrative Users: ou=people.EnterpriseLdap LDAP Connection Bind as User Enterprise Repository LDAP User Distinguished Name: CN=Bind User.htm File Here is a sample file of the Summary.doc Last printed Jul/01/2009 | Page 19 of 22 .DC=actdirhost.PTC PROPRIETARY 261498586.example.DC=com Enterprise Repository LDAP Password: <Bind User Password> Windchill Privileges for Repository Read Only LDAP Service Active Directory Service (ADS) Repository Contains Users Groups User Filter: CN=* Group Filter: CN=* CONFIDENTIAL .com Enterprise Repository LDAP Server Port: 3268 Enterprise Adapter Name com.DC=test.DC=windchillhost.DC=example.Appendix Sample Summary.com LDAP Port Number: 389 Administrator Distinguished Name: cn=Manager Administrator Password: ********** Confirm Administrator Password: ********** Base Distinguished Name for Product Properties: cn=configuration.1. LDAP Settings LDAP Server DNS Registered Host Name: windchillhost.htm file extract for New Windchill Installation to compare with.cn=Windchill_9.test.cn=AdministrativeLdap.DC=test.1.example. CONFIDENTIAL .com:389/ou=people.xml file Here is a sample of the app-Windchill-AuthProvider.DC=test.PTC PROPRIETARY 261498586.txt file Here is a sample of the <WindchillHome>\codebase\WEB-INF\mapCredentials.DC=test.conf files.xml file to compare with after making the Apache Configuration Changes.test.txt file to compare with after adding to the “mapcredentials.xml <?xml version="1.DC=com</bindDn> <bindPwd><BindUserPassword></bindPwd> </provider> </providers> To propagate these properties into .Core Product Settings Windchill Site Administrator: Create New Windchill Site Administrator User Name wcadmin Windchill Site Administrator Password: ******** Confirm Windchill Site Administrator Password: ******** Select the Repository Where the Site Administrator is Stored: Administrative Web Application Context Root: Windchill Info*Engine Server Task Processor Port Number: 10002 Initial Organization Name: adplm Organization Internet Domain Name: example. DC=actdirhost. you can accomplish the Apache Configuration by editing the "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider. execute the following command in a Windchill shell and from the Apache load point folder: ant -f webAppConfig.o=ptc</ldapUrl> <bindDn>cn=Manager</bindDn> <bindPwd><Aphelion ldap Password></bindPwd> </provider> <provider> <name>Windchill-EnterpriseLdap</name> <ldapUrl>ldap:// actdirhost.test.DC=actdirhost.com:3268/OU=ptc.test.com Sample app-Windchill-AuthProvider. Alternatively.DC=com? sAMAccountName?sub?(objectClass=*)</ldapUrl> <bindDn>CN= Bind User.cn=AdministrativeLdap.doc Last printed Jul/01/2009 | Page 20 of 22 .example.adapters” property.cn=Windchill_9.xml and propagating the changes as shown below: app-Windchill-AuthProvider. 1.0" encoding="UTF-8"?> <!--Web App Auth Providers List--> <providers enableNTLM="false"> <provider> <name>Windchill-AdministrativeLdap</name> <ldapUrl>ldap://windchillhost.CN=Users.admin.xml regenWebAppConf Sample mapCredentials. admin.test.doc Last printed Jul/01/2009 | Page 21 of 22 .pendinguser.admin.hostname)$(credentials.fieldsep)$(ie.fieldsep)$(ie.adapters=com.managerDn)$ (credentials.managerPw) mapcredentials. DC=actdirhost.managerPw) mapcredentials.Ldap-Pending^cn\=Manager^<AphelionldapPassword>.default.example.adapters= LDAP Browser login sequence The Image below shows the sequence to log onto Aphelion LDAP Browser.EnterpriseLdap^ CN=BindUser.server.com.fieldsep)$(ie.ldap=$(wt.mapCredentials.com.rmi.example.server.test.bat located at <WindchillDS_Loadpoint>\server\bat folder CONFIDENTIAL . Connecting to LDAP using a valid LDAP User (cn=Manager) allows deleting or modifying access.managerDn)$(credentials.ldap.Ldap^cn\=Manager^<AphelionldapPassword>.DC=com ^<BindUserPassword> mapcredentials.ldap=$(wt.nonprivileged. Select browser > Select Edit > Uncheck Anonymous bind checkbox > Enter Password > Select Save > Select Connect For starting up WindchillDS browser or the control panel double click the control-panel.ldap.PTC PROPRIETARY 261498586.hostname)$(credentials.test.fieldsep)$ (ie.CN=Users.DC=test.ldap.rmi.ldap.ex ample.txt mapcredentials.admin. doc Last printed Jul/01/2009 | Page 22 of 22 . 133029.External References Reference Description Configuring Additional Enterprise Directories Windchill® Installation and Configuration Guide — Advanced Windchill 9. 124774.1 TANTANs and TPITPIs 135027 .PTC PROPRIETARY 261498586. Migration and Common Challenges’ CONFIDENTIAL . 137040. 139095. 126775.124667 White Paper – ‘Windchill LDAP Authored by Steve Dertien Integration. 137919. 134754.