Multiple LDAP Authentication

mgodfrey · ‎Oct 28, 2015

Hi all, Can I have my Integrity/MKS environment authenticate against multiple domains?

KaelLizak · ‎Oct 28, 2015

Hello Marshall,

This functionality is covered by CS84458. Contact PTC Integrity Lifecycle Management Support‌ to add your organization to this enhancement request.

This use case used to be addressed on XP or Windows Server 2003 by using Microsoft Windows Active Directory Application Mode (ADAM), which was described here

(link no longer works): http://www.microsoft.com/windowsserver2003/adam/default.mspx

On Windows Server 2008, ADAM has been replaced by AD LDS (Active Directory Lightweight Directory Service), which is described here:

http://technet.microsoft.com/en-us/library/cc732019.aspx

For a description, see:

http://technet.microsoft.com/en-us/library/cc754361(v=ws.10).aspx‌

Regards,
Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager

mgodfrey · ‎Oct 29, 2015

Thanks Kael, I'll take a closer look at LDS and see if its an option, maybe even for some other apps with the same issue.

JoeBartlett · ‎Oct 29, 2015

If by multiple domains you mean multiple child domains, then yes this is possible. For example, if you have a top-level Active Directory forest of company.com and the following child domains:

us.company.com
eu.company.com
ch.company.com

Integrity can be configured to follow referrals between the child domains under company.com using enumeration in security.properties.

ldap.host.1=us.company.com
ldap.host.2=eu.company.com
ldap.host.3=ch.company.com

For more details on enumeration, see the Integrity Server Administration Guide.

If you want to authenticate against multiple top-level forests (company.com and otherdomain.com) then you would have to implement an AD aggregator like ADAM as Kael mentioned.

mgodfrey · ‎Oct 29, 2015

Hi Joe, unfortunately this involves two completely separate forests as we were acquired by a larger company recently.

All of our current MKS/Integrity/Implementer users authenticate to our existing AD domain but we're graduating applications and systems toward the new(to us) parent company's AD domain which also uses its own ticket/change management system different than PTC.

So I'm not really sure what the plan will be going forward... continue to use PTC or swap over to theirs, SCCM if I'm not mistaken.

But for now, the easiest thing to do with a new user is create them an account in the old/existing domain but not sure how long I'll be able to do that....

Thanks for the contributions!!

KaelLizak · ‎Nov 02, 2015

Marshall,

Your life will be much easier when you do have to migrate to the new domain if you can ensure that the user IDs are the same between the old and new domain (well, the part before the domain, specifically). CS156619 looks like it covers some of the considerations of moving to a new domain, including LDAP.

Regards,

Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager