Disallow login for active directory users

gchampoux · ‎May 08, 2013

We use Windows Active Directory for Windchill authentication.
We controll access within Windchill by groups/teams.

However, this does not stop unauthorized AD user from logging in.
They can login, but cannot see any Products or Libraries, which is good.
But I would like to stop them at the login screen.
Is this possible?
For example: Can I create a white list of the User ID's that are allowed to login?
Where would such a white list be defined?

Windchill Intralink 9.1.

Gerry Champoux
Williams International
Walled Lake, MI

rporzel-5 · ‎May 08, 2013

Yes it is possible. You need to create a branch in your Windows Active
Directory and place the Windchill users in that branch. You then need to
update Apache and the JNDI adapter in Windchill to only look at that branch
for authentication.

Hope that helps!

gchampoux · ‎May 08, 2013

Unfortunately, that is not an option for me.
The AD is not under my control.
The users are currently under several different branches (for other origanizational purposes).
Our AD admins won't allow a structure change to the branches.

Gerry

In Reply to Ryan Porzel:

Yes it is possible. You need to create a branch in your Windows Active
Directory and place the Windchill users in that branch. You then need to
update Apache and the JNDI adapter in Windchill to only look at that branch
for authentication.

Hope that helps!

On Wed, May 8, 2013 at 8:49 AM, Gerry Champoux
@<->wrote:

> We use Windows Active Directory for Windchill authentication.
> We controll access within Windchill by groups/teams.
>
> However, this does not stop unauthorized AD user from logging in.
> They can login, but cannot see any Products or Libraries, which is good.
> But I would like to stop them at the login screen.
> Is this possible?
> For example: Can I create a white list of the User ID's that are allowed
> to login?
> Where would such a white list be defined?
>
> Windchill Intralink 9.1.
>
> Gerry Champoux
> Williams International
> Walled Lake, MI

BineshKumar1 · ‎May 08, 2013

The easiest way out would be to create a group for Windchill users and add
the the desired users to that group.

You can set user filters in your Apache as well as in JNDI adapter for
Windchill.

For Apache -

SteveVinyard · ‎May 08, 2013

This.

A very common way of handling this. You don't want Windchill hitting your entire active directory system anyways. Setup a group (within the search base of course) and add users to it. Remember it's just a list group and that it should add the group to each users "memberOf" attribute. This is the norm for Active Directory and I'm sure its setup like this for yours as well.

Also note that the username you use to access your LDAP (via JNDI Adapter and Apache) needs to have more than Read access if I recall. Read access works fine but if you are using a group, that "memberOf" attribute isn't seen with just "Read-Only" access.

[cid:image001.gif@01CE4BCB.FD5D2F70]

Steve Vinyard
Senior Solution Architect

avillanueva · ‎May 08, 2013

We have configured apache and e-signature to point to AD only. WC still points to Windchill DS LDAP where users are created. If SAMACCOUNTNAME matches, they will authenticate with PW to AD then WC looks them up in WindchillDS. If they do not exist in Windchill DS, they get an error screen and are not allowed it. You can knock but you can't come in.

ddemay · ‎May 08, 2013

We / I do same thing as Antonio. Much easier!

If you want to use a secure connection to AD from Apache, best use port
3269, not 3268 though.

I would totally discourage anyone if given an opportunity from storing or
using Active Directory as a substitute for Windchill DS.

To capture an error, you can create an error page for tomcat based on
wt.org.UserNotFoundException which is thrown when someone with a valid
username and password does not exist in Windchill DS or Aphelion.

jcrowe · ‎May 09, 2013

Our Windchill system is fully integrated with our corporate AD. There are a few things to keep in mind:

1. Authentication – This is what Apache does. If you want to authenticate through the AD, you will have to change the app-Windchill-Auth.conf file located in <windchill>\Apache\conf\extra to reflect active directory server and location to authenticate against. Sounds like this is ok.

2. Creating JNDI Adapter – This is the “hook” that you need in order to query your corporate AD. We can use this to help keep users out or at least cause Windchill to complain about the unauthorized user upon login. This is done from the SiteUtilitiesInfoEngine Administrator.

When creating\editing your JNDI adapter, key in on these properties:

Provider Url: The value should be ldap://<servername.domain>:3268/ where <servername.domain> is the name of your corporate AD server. This should be similar to the server name you provided in the Apache config file to authenticate against AD. E.g. ldap://myADserver.com:3268/. 3268 is a standard port for best use says PTC.
Directory System Agent User: CN=<uid>,<rest of=" path=" to=" user="> This is an user account that has READ-Only access to your corporate AD. This user should only have windchill.mapping.user.filter. This property will allow you to filter out every user except the users who exist in the group you specify. Of course, this requires that you have your AD folks create a group that includes all Windchill users. Once this is done follow these steps to add the property:
- From the JNDI adapter, add additional property. Name it <jndiadaptername>.windchill.mapping.user.filter
- The value should be similar this: memberOf=CN=<windchillusergroup>, OU=<blah>,DC=<blah>
- Windchill should no longer be happy with the user that attempts to login and does not belong to the filtered by group.