I see you want to use AD just for authentication and keep the users in Windchill Directory Server. You are right, you don't have to configure an additional JNDI adapter for this.
- Create Windchill users with the "username = Active Directory SAMaccount name". You can provide a random password of your choice as this password will not be used. The email address needs to manually entered for each of the users. You can either create users manually or use load from file - https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS23818.
- Add Active Directory auth provider as the first provider entry in <Apache>\conf\extra\app-Windchill-AuthProvider.xml
<provider>
<name>Corporate-AD</name>
<ldapUrl>ldap://domain-controller.domain.com:3268/CN=Users,DC=company,DC=internal?sAMAccountName?sub?(objectClass=*)</ldapUrl>
<bindDn>an=service_Account,CN=serviceaccount,DC=company,DC=internal</bindDn>
<bindPwd>password</bindPwd>
</provider>
3. Open Windchill shell, navigate to ptc/HTTPServer and run the command, ant -f webAppConfig.xml regenWebAppConf. This will propagate the entries from above xml to conf file.
Few +ves of this approach are
We can keep the windchill user tables clean. Active Directory is extremely volatile, IT administrators would add/remove/move/rename users as per their need and often Windchill will not like it. No issues with disconnected principals, unless you delete users from Windchill DS directly. To be compliant with licensing policy, you can create a group in WindchillDS and move all the separated user accounts to this group.
Few -ves of this approach are
To add a new account, every you need to manually create user in Windchill. If you configure JNDI adapter, this will be populated automatically. Another pitfall is, if you ever have to use CFR part 11, authenticated workflow task completion, users will have to enter the password which you provide in Windchill, unless you have some third party tool for password synchronization
Thank you
Binesh Kumar
Medtronic-MITG
