Hello,

I forgot to mention that we are running Windchill version 12

The Directory system agent user does not change and I can still browse the AD structure using this account after I have made the change to the search base.

It is when I change the search base using the Info Engine utility from

ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,OU=XXXXX AND XXXXXX,DC=XXXX,DC=XXXX

to 

ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,DC=XXXX,DC=XXXX

I then ran the ​ant -f webAppConfig.xml regenWebAppConf command from the Windchill shell

but after this change users can no longer login to Windchill.

Where do I find the ......windchill.mapping.user.filter:

It's in Info Engine, in the Additional Properties

Something like:

Property: local.EnterpriseLdap2.windchill.mapping.user.filter

Value:

Here is an export of the properties of the adapter that is currently working, I can't find any reference to the windchill.mapping.user.filter

dn: ptcServiceName=###.####.MSADLdap,<base>
ptcProperty: ###.####.MSADLdap.java.naming.provider.url=ldap://######.####.###:3268
ptcProperty: ###.####.MSADLdap.dsaUser=CN=######-Service-Winchill,OU=ServiceAccounts,OU=User,OU=######,OU=LOCATION,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.dsaCredentials=encrypted.###.####.MSADLdap.dsaCredentials
ptcProperty: ###.####.MSADLdap.searchBase=OU=Restricted,OU=User,OU=######,OU=##### ### #####,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.searchScope=SUBTREE
ptcProperty: ###.####.MSADLdap.serviceType=DIRECTORY
ptcProperty: ###.####.MSADLdap.ldapVersion=3
ptcProperty: ###.####.MSADLdap.debug=1111
ptcProperty: ###.####.MSADLdap.logFile=D:\ptc\WC\Windchill\logs\MSADLdap.log
ptcProperty: ###.####.MSADLdap.verbose=true
ptcProperty: ###.####.MSADLdap.socketAccess.maxThreadCount=100
ptcProperty: ###.####.MSADLdap.windchill.config.readOnly=true
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.mail=mail
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.o=company
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.objectClass=user
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.preferredLanguage=en_US
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uid=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.usersOrganizationName=###### ######
ptcProperty: ###.####.MSADLdap.windchill.mapping.windchill.config.directoryType=ADS
ptcServiceClassName: com.infoengine.jndi.JNDIAdapterImpl
ptcServiceName: ###.####.MSADLdap
ptcMetaType: JNDI Adapter
objectClass: ptcApplicationService
objectClass: ptcApplicationProperties
objectClass: ptcInfoEngineAdapter
parentDn: <base>
ptcRuntimeServiceName: ###.####.MSADLdap

It's optional.  You have to add it yourself.  See this article: https://www.ptc.com/en/support/article/cs29445

See this one too:  https://www.ptc.com/en/support/article/CS24211

Hi, I don't want to add an additional filter, I want to replace the current value in the search base with a new value. The reason I want to do this, is that when the users are moved to the new OU the old OU will be removed from the AD.

I tried this by changing the value in the search base using Info Engine and then running ant -f webAppConfig.xml regenWebAppConf

However after this the users could not login to Windchill, am I missing a step.

Info Engine config determines what users and group Windchill can see.  The Apache (HTTP) config determines what users can log in.  You have to change both.  It's helpful to use a 3rd party LDAP search tool to make sure your search base and filters are working correctly before setting these values in Windchill and Apache.

Hi Guys,

Thank you both for your help, I had miss typed the entry in the Apache config.