cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need help navigating or using the PTC Community? Contact the community team. X

ForgeRockDS

YO_10931768
2-Explorer

ForgeRockDS

If I migrate WindchillDS to Active Directory or OpenDJ( ForgeRockDS ), can I continue to use it as is?
How will the method of operation change?

ACCEPTED SOLUTION

Accepted Solutions

When we upgraded from 11.2 to 12.0.2.X we switched from any local DS to completely AD based.

Considerations:

  • Your admin user will need to exist in AD
  • If your AD doesn't allow ldap calls, and only allows ldaps calls - be sure to import the AD certificate into your Java keystore before launching the installer
    • Note the cert expire date, and pay attention to any premature rekeying of cert for AD, as you will need to update the cert in your Java when it changes in AD 

View solution in original post

3 REPLIES 3

When we upgraded from 11.2 to 12.0.2.X we switched from any local DS to completely AD based.

Considerations:

  • Your admin user will need to exist in AD
  • If your AD doesn't allow ldap calls, and only allows ldaps calls - be sure to import the AD certificate into your Java keystore before launching the installer
    • Note the cert expire date, and pay attention to any premature rekeying of cert for AD, as you will need to update the cert in your Java when it changes in AD 

Not sure we understand your question.  Do you mean can you change LDAPs without upgrading/patching Windchill?

 

Yes, but it depends on the version of Windchill.  WindchillDS is necessary until Windchill 12.0.  There is a specific (early) build of 12.,0 where this begins, but I don't remember which one.  Any recent release of Windchill (12.0.2 or later) can/should be fully migrated to an LDAP other than WindchillDS.  Functionally, Windchill doesn't care which V3 compliant LDAP houses the user accounts and authentication credentials: OpenDJ, Active Directory, etc.

 

Migrating from WindchillDS to anything else is a one-time process.  This is a process with a lot of nuance, but you can work through it in a test system before attempting in production.

  1. Planning and preparation involves cleaning up inactive accounts and ensuring active accounts exist in the target LDAP.
  2. Then connect to the third-party LDAP in Info*Engine and Apache.
  3. All the remaining user accounts must be mapped to the new LDAP.
  4. Validate there are no disconnected participants and that the users can login.

 

Typically for single outage LDAP migrations (e.g. at the end of Windchill upgrades), we disconnect from WindchillDS and integrate with the new LDAP.  Fix the Windchill Site Administrator account at the database level, then heal all other accounts through participant administration.  If there are a lot of user accounts, we heal them with SQL commands and just validate there are no disconnected pariticpants.

 

For longer-term LDAP migrations [where IT is migrating user accounts to a new LDAP by department], we integrate with both WindchillDS and the target LDAP.  We use filter groups on both JNDI Adapters and remove groups of users from WindchillDS before adding them to the target LDAP.  When all disconnected participants are resolved, we move on to the next group of users until all accounts have been migrated.  Finally, we disconnect from WindchillDS.

It looks like you have some responses from some community members. If any of these replies helped you solve your question please mark the appropriate reply as the Accepted Solution. 
Of course, if you have more to share on your issue, please let the Community know so other community members can continue to help you.
Regards,
Andra
Announcements


Top Tags