Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X
Hello Henrik,
I was going through this post and wanted to confirm with you following. I have a setup with AD configured using JNDI adapter etc , for the last ( optional) step , i.e.
Note: Normally WC has only read access to the MSAD system, but if you like
to update and create users from WC in MSAD you need to update you
mapCredentials.xml, but this step is only if you have write access to MSAD.I already modified mapCredential.xml and also have write access to MSAD , but when I try to update user info, ( using Aphelion Browser) , it gives me error message as
Root error: [LDAP: error code 53 - 00002035: LdapErr: DSID-0C090A36, comment: Operation not allowed through GC port, data 0, vece
IS port 3268 is issue? can you please provide your feedback
Kamlesh
Gerry
The steps to integrate an external directory service such as MSAD is
following:
1. Try and connect to MSAD with your local LDAP Browser and add in
here the credentials for a user in MSAD who has read permissions.
a. Host
b. Check Anonymous bind
c. userDN
d. Password
If you are able to browse the MSAD structure then you have an open
connection to MSAD and the values you have not entered should be used in
your jndiAdapter.
2. Second step is to create a jndiAdapter. You can do this from your
Info*Engine page. After you added the credentials from your LDAP Browser you
must also specify the properties at the very end of jndiAdapter
configuration page.
In R9.1 you can also map groups to MSAD
In R9.1 you can also use an property for the organization in your
jndiAdapter configuration instead of having a property in MSAD designated
only for WC integration. This option is only possible when you only use one
Organization in WC.
3. After you configured the jndiAdapter you should add the name of the
jndiAdapter to the wt.federation.org.directoryServices in wt.properties
4. You should now be able to log into WC still with your local site
Administrator (LDAP) and from the principal Admin tool you should be able to
search any users (both LDAP and MSAD). The
wt.federation.org.directoryServices specify the adapters you will be using
searching for people. If you can only search users in local LDAP then your
jndiAdapter is wrong configured.
5. Last step is to configure Apache. With Apache 2.2 you are able to
connect to two directoryserices, such as one LDAP and one MSAD. IIS can
connect to as many you like.
You have two configuration files you need to update for correct
authenticaton:
app-Windchill-Auth.conf
app-Windchill-AuthProvider.xml
In here you see two providers: Windchill-AdministrativeLdap &
Windchill-EnterpriseLdap
The AdministrativeLDAP is entended to point to local LDAP
The EnterpriseLDAP is intendted to point to your MSAD
You need to update the Enterprise properties in both files with the
credentials you specified at the very first step connection with a LDAP
Browser.