Major PDMLink problem, LDAP related

lococnc · ‎Nov 02, 2009

Our IT department made a bunch of changes over the weekend and now no one can login to PDMLink.
Our system was setup in 2006 and is configured to authenticate against the Active directory user name and password.
We can't figure what they broke. They did not touch the PDMLink system.
I suspect that they have killed some permissions somewhere. most of the software runs under "windchill_user" but I cannot seem to even browse the company LDAP using the included browser. I can login using a user that exists only in the Windchill included LDAP.

Any help would be appreciated.

wpalm_99 · ‎Nov 02, 2009

Mike,

They may have changed the host for your Active Directory LDAP or the user
with which Apache connects to that LDAP. You can find both of these
settings in the Info*Engine Administrator (Site/Utilities). You'll need the
Aphelion password (username should be cn=Manager, password is usually
ldapadmin or manager unless it was changed from a default install). You'll
need to determine the name of your custom JNDI adapter which defines the
connection to AD. It's usually called something like CorpLdap.

wpalm_99 · ‎Nov 02, 2009

Mike,

Forget the Info*Engine Administrator page since you can't log in. You can
edit the properties from the Aphelion LDAPBrowser.

The adapter is buried and varies for different implementations. It will be
called "ptcServiceName=com.<domain>.<hostname alias=">.<adaptername>"

where domain and hostname/alias are fragments of the URL with which you log
into PDMLink and AdapterName is the name of your custom JNDI adapter which
is usually something like "CorpLdap".

jcrowe · ‎Nov 03, 2009

Apache handles the authentication side. So if you're not able to log in, you should check the Apache configuration file.

jcrowe · ‎Nov 03, 2009

Check your Apache configuration files. This is where authentication first takes place:

C:\ptc\Windchill_9.0\Apache\conf\extra\app-Windchill-Auth.conf

This file should inculde all of the options to connect to your Corporate AD. Verify that your AuthLDAPURLis correct with your domain\IT administrator. If not, modify it and restart Apache.

Ex.

AuthLDAPURL ldap:ADhost.example.com:3268CN=Users,Dc=example,DC=com?sAMAccountName?sub?(objectClass =*)

AuthLDAPBindDN "CN=Bind User,CN=Users,DC=example,DC=com"

AuthLDAPBindPassword "bind_pwd"

jessh · ‎Nov 03, 2009

If you hand edit this file it will be overwritten when next you (or an
installer) use any of the scripts that generate such files.

Recent versions of the file state this at the top:

# DO NOT EDIT THIS FILE. IT IS AUTO-GENERATED AND WILL BE OVERWRITTEN.

There are XML and properties files to edit and a script to regenerate
the conf files. In recent releases this would involve editing:

app-Windchill-AuthProvider.xml

and then running

ant -f webAppConfig.xml regenAllWebApps

I missed the beginning of this thread, so I'm not at all sure whether
this is actually an Apache configuration issue. In recent releases
there is a page to help troubleshoot authentication issues,

fails (or fails to challenge you for authentication), then you know you
have a web server configuration issue. If all of these links work and
the authenticated JSP and servlet request links report the right user,
then your issue is not with the basic web server or servlet engine
configuration.

--
Jess...

jcrowe · ‎Nov 03, 2009

Jess, you are correct. One would need to edit the "<apache_load_point>/conf/extra/app-Windchill-AuthProvider.xml" for a permanent fix. In that case, it would look like:
<provider>
<name>Windchill-EnterpriseLdap</name>
<ldapurl>ldap://activedirectoryhost.example.com:3268/CN=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)</ldapurl>
<binddn>CN=Bind User,CN=Users,DC=example,DC=com</binddn>
<bindpwd><password_for_bind_user></bindpwd>
</provider>
</providers>

Is is not true that authentication(simply login against an ldap) is handled solely by Apache and authorization(access control to content by other means)?

wpalm_99 · ‎Nov 03, 2009

Jason,

That's correct. Apache handles authentication only. Once authenticated,
the user is found in one of the LDAPs for which there are JNDI adapters
configured. If you don't create a JNDI adapter for Active Directory, you
would need to duplicate all user accounts in Aphelion (or WindchillDS going
forward). Conversely, for a complete AD integration and the elimination of
redundant user accounts, you would create this custom JNDI adapter to
reference AD.

jessh · ‎Nov 03, 2009

Crowe, Jason C (OCW) wrote:
> Is is not true that authentication(simply login against an ldap) is
> handled solely by Apache and authorization(access control to
> content by other means)?
Yes, this is true.

However, as I said I missed the beginning of the thread, but many people
mix authentication and successfully getting results from the first
Windchill page they visit all into the same "can't login" symptom and
label it all sorts of things from that point. That's why I pointed out
test.html.

--
Jess Holle