cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid characters in ldap group names: users not allowed to log in

Highlighted

Invalid characters in ldap group names: users not allowed to log in

We are currently testing the upgrade from PDMLink 9.1 to 10.1 with a full integration to the company ldap.

Here we see a major problem for us:

It is not allowed to have fwd / in group names that the users in PDMLink are member of. The characters are allowed in ldap but not in PDMLink.

The groups containing the / are not used in PDMLink, but we use other AD groups to control assignments to roles.

This problem means, that we are not able to move to 10.x as the ldap integration is broken.

Do any of you see the same problem in 10.x and have you found a work around for this?

More info:

-Issue is not related to usernames we create, but to information in the MS AD pulled by Windchill

-The problem is not seen in user names (have not seen fwd / in user names so far)

-The problem has been detected for users that are member of groups where fwd/ is part of the group dn.

-We cannot control which groups a user is member of – nor the name of the group

-We rely on access to MS AD groups in the setup of Windchill

-The groups in MS AD with fwd/ has an escape \ before the fwd/

-Is it part of the LDAP v3 standard to allow fwd/ if escaped with \.

-we ran windu and it crashes at the part with the / group

-LDAP: error code 34 - 0000208F: LdapErr: DSID-0C090715, comment: Error processing name

2 REPLIES 2

Re: Invalid characters in ldap group names: users not allowed to log in

Hi Lisbeth,

You could try applying a filter on the EnterpriseLDAP JDNI Adapter for the group objects:

e.g.

<JNDIServiceName>.windchill.mapping.group.filter=cn=PTC Windchill*

This would restrict Windchill to only query AD groups beginning "PTC Windchill". As long as none of those groups contain "/" it may provide a workaround.

Kind Regards,

Alex

Re: Invalid characters in ldap group names: users not allowed to log in

Following along with Alex, you could also apply a filter to not show groups with a "/". That way you wouldn't have to rename or recreate groups if they are not named explicity for Windchill. Alex's suggestion is great if you are creating groups specifically for Windchill, and has the added benefit of reducing the number of groups Windchill returns in a search.

Micah

Announcements
LiveWorx Call For Papers Happening Now!