cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Modifying the LDAP search scope Windchill 12

Peter...
4-Participant

Modifying the LDAP search scope Windchill 12

I need to move my users to a new OU in AD, Our current Windchill installation uses AD to authenticate the users using an LDAP adapter.

 

Using Info*Engine I have changed the Search base value in the current adapter to reflect the new OU in AD and ran the ​ant -f webAppConfig.xml regenWebAppConf command from the Windchill shell, however when I move my users to the new OU they cannot login to Windchill.

 

I must be missing some steps to get this working, any help would be appreciated

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
TomU
23-Emerald III
(To:Peter...)

I should also add that the ant command is only needed after changing the Apache config.  It has nothing to do with Info Engine changes.  For those to take affect you need to restart Windchill.

View solution in original post

10 REPLIES 10

You can use a tool like JXplorer to test your LDAP connection. You can connect with or without a Search base in order to validate that it is correct. 

http://jxplorer.org/downloads/users.html

 

You may also need to check your filter:
......windchill.mapping.user.filter:

 

Hello,

I forgot to mention that we are running Windchill version 12

 

The Directory system agent user does not change and I can still browse the AD structure using this account after I have made the change to the search base.

 

It is when I change the search base using the Info Engine utility from

ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,OU=XXXXX AND XXXXXX,DC=XXXX,DC=XXXX

to 

ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,DC=XXXX,DC=XXXX

I then ran the ​ant -f webAppConfig.xml regenWebAppConf command from the Windchill shell

but after this change users can no longer login to Windchill.

 

Where do I find the ......windchill.mapping.user.filter:

 

It's in Info Engine, in the Additional Properties

 

Something like:

Property: local.EnterpriseLdap2.windchill.mapping.user.filter

Value:

memberOf=CN=WCUsers,CN=Users,DC=company,DC=local

 

Here is an export of the properties of the adapter that is currently working, I can't find any reference to the windchill.mapping.user.filter

 

dn: ptcServiceName=###.####.MSADLdap,<base>
ptcProperty: ###.####.MSADLdap.java.naming.provider.url=ldap://######.####.###:3268
ptcProperty: ###.####.MSADLdap.dsaUser=CN=######-Service-Winchill,OU=ServiceAccounts,OU=User,OU=######,OU=LOCATION,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.dsaCredentials=encrypted.###.####.MSADLdap.dsaCredentials
ptcProperty: ###.####.MSADLdap.searchBase=OU=Restricted,OU=User,OU=######,OU=##### ### #####,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.searchScope=SUBTREE
ptcProperty: ###.####.MSADLdap.serviceType=DIRECTORY
ptcProperty: ###.####.MSADLdap.ldapVersion=3
ptcProperty: ###.####.MSADLdap.debug=1111
ptcProperty: ###.####.MSADLdap.logFile=D:\ptc\WC\Windchill\logs\MSADLdap.log
ptcProperty: ###.####.MSADLdap.verbose=true
ptcProperty: ###.####.MSADLdap.socketAccess.maxThreadCount=100
ptcProperty: ###.####.MSADLdap.windchill.config.readOnly=true
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.mail=mail
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.o=company
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.objectClass=user
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.preferredLanguage=en_US
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uid=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.usersOrganizationName=###### ######
ptcProperty: ###.####.MSADLdap.windchill.mapping.windchill.config.directoryType=ADS
ptcServiceClassName: com.infoengine.jndi.JNDIAdapterImpl
ptcServiceName: ###.####.MSADLdap
ptcMetaType: JNDI Adapter
objectClass: ptcApplicationService
objectClass: ptcApplicationProperties
objectClass: ptcInfoEngineAdapter
parentDn: <base>
ptcRuntimeServiceName: ###.####.MSADLdap

TomU
23-Emerald III
(To:Peter...)

It's optional.  You have to add it yourself.  See this article: https://www.ptc.com/en/support/article/cs29445

TomU
23-Emerald III
(To:Peter...)

Peter...
4-Participant
(To:TomU)

Hi, I don't want to add an additional filter, I want to replace the current value in the search base with a new value. The reason I want to do this, is that when the users are moved to the new OU the old OU will be removed from the AD.

 

I tried this by changing the value in the search base using Info Engine and then running ant -f webAppConfig.xml regenWebAppConf

However after this the users could not login to Windchill, am I missing a step.

 

 

TomU
23-Emerald III
(To:Peter...)

Info Engine config determines what users and group Windchill can see.  The Apache (HTTP) config determines what users can log in.  You have to change both.  It's helpful to use a 3rd party LDAP search tool to make sure your search base and filters are working correctly before setting these values in Windchill and Apache.

TomU
23-Emerald III
(To:Peter...)

I should also add that the ant command is only needed after changing the Apache config.  It has nothing to do with Info Engine changes.  For those to take affect you need to restart Windchill.

Peter...
4-Participant
(To:TomU)

Hi Guys,

 

Thank you both for your help, I had miss typed the entry in the Apache config.

Announcements