cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

BYO LDAP Question: What is your base DN?

avillanueva
22-Sapphire I

BYO LDAP Question: What is your base DN?

Kicking around OpenDJ for my Dev server of Windchill 12.0.2. Since LDAP is only going to be storing users now (right?), is there a preferred convention for the LDAP base DN?  Does it matter anymore? I stuck with o=ptc like we did for previous installations. Is the distinction between Enterprise and Administrative gone as well?

1 ACCEPTED SOLUTION

Accepted Solutions
mmeadows-3
13-Aquamarine
(To:TomU)

For any component of Windchill, 'supported' isn't just from the perspective of PTC says 'it should work'.  It also means the supplier of the component continues to update their product.  ForWindchillDS, that includes support future Java versions (WindchillDS is limited to Java 1.8) and patching security holes as they are discovered.

 

Per CS337415, we can and must use WindchillDS during upgrade to 12.0.2.  But once we pass 12.0.1, we should plan to move away from WindchillDS.  PTC clearly states WindchillDS it is at end of life. From CS335696:

"The ownership and responsibility of maintaining the LDAP solution or migrating user data to any LDAP solution lies entirely with the customer."

and

"After the upgrade to Windchill 12.0.1, Customers should have a plan to migrate to an alternate Directory Server. Use of Windchill DS should only be considered as a temporary stop gap during the upgrade or in a non-production environment because PTC will not support any problems specific to Windchill DS."

View solution in original post

6 REPLIES 6
TomU
23-Emerald IV
(To:avillanueva)

Once the data has been migrated to JSON files, the only thing left in Windchill DS are user accounts.  (The other stuff can just be deleted.)  I would think the users could be in any base DN, but I haven't actually tested it  (Technically I'm still using the default Windchill 12.0 structure even though I'm running 12.1 now.).  I did do a different test where I completely eliminated Windchill DS and just used Active Directory.  Everything worked fine but it was sort of a pain since I.T. controls the A.D. accounts.  Ultimately I ended up keeping Windchill DS running and just leaving a few key accounts in there so I don't bother I.T. (site admin, org admin, and some other test accounts.)

avillanueva
22-Sapphire I
(To:TomU)

But isn’t windchillds no longer supported? OpenDJ looks and feels the same well because it is.

Sent from my iPhone

PTC took the OpenDJ Community Edition, tweaked it for their needs, and called it WindchillDS.  So it is very easy to use OpenDJ going forward.  During installation of 12.x, all the default values for a non-ADS LDAP are for an OOTB installation of OpenDJ.  This makes it easy to install your next upgrade target.

As I understand it, one reason PTC dropped WindchillDS is OpenDJ didn't support Java 11 when PTC needed to release Windchill 12.  That has since been resolved and the latest OpenDJ does support Corretto Java 11.

In the early builds of 12.x, I found the upgrade manager had issues if my 12.x installation used Site Admin DN 'uid=wcadmin,o=ptc'.  It was the early days of 12.x and not sure if that is still the case.  I set my Site Administrator DN to 'uid=wcadmin,ou=people,dn=AdministrativeLdap,dn=Windchill,o=ptc' and haven't had an issue since.

I also removed cn=Administrator as a second value.  That helps if you end up moving to Active Directory or any other company LDAP in the future.

EnterpriseLdap is only needed if you are using it.  If it is empty, you can drop it during upgrade or delete it pre-upgrade.  Just ensure it is empty first and don't forget to remove the Repository and the related site.xconf entries.

I commented with more details about the installation of OpenDJ and the LDIF migration process in another post...

https://community.ptc.com/t5/Windchill/who-is-using-V3-ldaps-other-than-WCDS11-2-for-windchill-12-0-1-x/m-p/797478#M66922

 

TomU
23-Emerald IV
(To:avillanueva)

Define 'supported'.  WindchillDS is no longer bundled with Windchill, but any 'V3 Compliant Corporate Directory Service' is compatible/acceptable/approved.

 

From the Windchill 12.1.1.1 release matrix:

 

TomU_1-1662597093625.png

 

You can continue to use the last available version of WindchillDS as long as you want, but tech support isn't going to take any responsibility for it.  On the other hand, tech support isn't going to help you with OpenDJ either, so is it really 'supported' either?  Both are approved for use with Windchill, but neither one will be 'supported' by tech support.

 

For reference:

mmeadows-3
13-Aquamarine
(To:TomU)

For any component of Windchill, 'supported' isn't just from the perspective of PTC says 'it should work'.  It also means the supplier of the component continues to update their product.  ForWindchillDS, that includes support future Java versions (WindchillDS is limited to Java 1.8) and patching security holes as they are discovered.

 

Per CS337415, we can and must use WindchillDS during upgrade to 12.0.2.  But once we pass 12.0.1, we should plan to move away from WindchillDS.  PTC clearly states WindchillDS it is at end of life. From CS335696:

"The ownership and responsibility of maintaining the LDAP solution or migrating user data to any LDAP solution lies entirely with the customer."

and

"After the upgrade to Windchill 12.0.1, Customers should have a plan to migrate to an alternate Directory Server. Use of Windchill DS should only be considered as a temporary stop gap during the upgrade or in a non-production environment because PTC will not support any problems specific to Windchill DS."

Thanks @mmeadows-3  and @TomU. If I can accept two answers I would.  You have been very helpful. Since I am building a Dev instance, OpenDJ is fine and I will make my own DN path. That's a good note for production upgrade since I will be going straight to 12.0.2. It will be a follow on task to clean up the LDAP history.

Top Tags