The community will undergo maintenance on October 16th at 10:00 PM PDT and will be unavailable for up to one hour.
I need to move my users to a new OU in AD, Our current Windchill installation uses AD to authenticate the users using an LDAP adapter.
Using Info*Engine I have changed the Search base value in the current adapter to reflect the new OU in AD and ran the ant -f webAppConfig.xml regenWebAppConf command from the Windchill shell, however when I move my users to the new OU they cannot login to Windchill.
I must be missing some steps to get this working, any help would be appreciated
Solved! Go to Solution.
I should also add that the ant command is only needed after changing the Apache config. It has nothing to do with Info Engine changes. For those to take affect you need to restart Windchill.
You can use a tool like JXplorer to test your LDAP connection. You can connect with or without a Search base in order to validate that it is correct.
http://jxplorer.org/downloads/users.html
You may also need to check your filter:
......windchill.mapping.user.filter:
Hello,
I forgot to mention that we are running Windchill version 12
The Directory system agent user does not change and I can still browse the AD structure using this account after I have made the change to the search base.
It is when I change the search base using the Info Engine utility from
ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,OU=XXXXX AND XXXXXX,DC=XXXX,DC=XXXX
to
ptcProperty: xxx.xxxx.MSADLdap.searchBase=OU=Restricted,OU=User,OU=XXXXXXXX,DC=XXXX,DC=XXXX
I then ran the ant -f webAppConfig.xml regenWebAppConf command from the Windchill shell
but after this change users can no longer login to Windchill.
Where do I find the ......windchill.mapping.user.filter:
It's in Info Engine, in the Additional Properties
Something like:
Property: local.EnterpriseLdap2.windchill.mapping.user.filter
Value:
memberOf=CN=WCUsers,CN=Users,DC=company,DC=local |
Here is an export of the properties of the adapter that is currently working, I can't find any reference to the windchill.mapping.user.filter
dn: ptcServiceName=###.####.MSADLdap,<base>
ptcProperty: ###.####.MSADLdap.java.naming.provider.url=ldap://######.####.###:3268
ptcProperty: ###.####.MSADLdap.dsaUser=CN=######-Service-Winchill,OU=ServiceAccounts,OU=User,OU=######,OU=LOCATION,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.dsaCredentials=encrypted.###.####.MSADLdap.dsaCredentials
ptcProperty: ###.####.MSADLdap.searchBase=OU=Restricted,OU=User,OU=######,OU=##### ### #####,DC=####,DC=###
ptcProperty: ###.####.MSADLdap.searchScope=SUBTREE
ptcProperty: ###.####.MSADLdap.serviceType=DIRECTORY
ptcProperty: ###.####.MSADLdap.ldapVersion=3
ptcProperty: ###.####.MSADLdap.debug=1111
ptcProperty: ###.####.MSADLdap.logFile=D:\ptc\WC\Windchill\logs\MSADLdap.log
ptcProperty: ###.####.MSADLdap.verbose=true
ptcProperty: ###.####.MSADLdap.socketAccess.maxThreadCount=100
ptcProperty: ###.####.MSADLdap.windchill.config.readOnly=true
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.mail=mail
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.o=company
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.objectClass=user
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.preferredLanguage=en_US
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uid=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
ptcProperty: ###.####.MSADLdap.windchill.mapping.usersOrganizationName=###### ######
ptcProperty: ###.####.MSADLdap.windchill.mapping.windchill.config.directoryType=ADS
ptcServiceClassName: com.infoengine.jndi.JNDIAdapterImpl
ptcServiceName: ###.####.MSADLdap
ptcMetaType: JNDI Adapter
objectClass: ptcApplicationService
objectClass: ptcApplicationProperties
objectClass: ptcInfoEngineAdapter
parentDn: <base>
ptcRuntimeServiceName: ###.####.MSADLdap
It's optional. You have to add it yourself. See this article: https://www.ptc.com/en/support/article/cs29445
Hi, I don't want to add an additional filter, I want to replace the current value in the search base with a new value. The reason I want to do this, is that when the users are moved to the new OU the old OU will be removed from the AD.
I tried this by changing the value in the search base using Info Engine and then running ant -f webAppConfig.xml regenWebAppConf
However after this the users could not login to Windchill, am I missing a step.
Info Engine config determines what users and group Windchill can see. The Apache (HTTP) config determines what users can log in. You have to change both. It's helpful to use a 3rd party LDAP search tool to make sure your search base and filters are working correctly before setting these values in Windchill and Apache.
I should also add that the ant command is only needed after changing the Apache config. It has nothing to do with Info Engine changes. For those to take affect you need to restart Windchill.
Hi Guys,
Thank you both for your help, I had miss typed the entry in the Apache config.