cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Help us improve the PTC Community by taking this short Community Survey! X

SV: How do you create a Winchill user with an Active Directory (LDAP) account?

handersen1
1-Visitor

SV: How do you create a Winchill user with an Active Directory (LDAP) account?

Gerry



The steps to integrate an external directory service such as MSAD is
following:



1. Try and connect to MSAD with your local LDAP Browser and add in
here the credentials for a user in MSAD who has read permissions.

a. Host

b. Check Anonymous bind

c. userDN

d. Password

If you are able to browse the MSAD structure then you have an open
connection to MSAD and the values you have not entered should be used in
your jndiAdapter.



2. Second step is to create a jndiAdapter. You can do this from your
Info*Engine page. After you added the credentials from your LDAP Browser you
must also specify the properties at the very end of jndiAdapter
configuration page.

In R9.1 you can also map groups to MSAD

In R9.1 you can also use an property for the organization in your
jndiAdapter configuration instead of having a property in MSAD designated
only for WC integration. This option is only possible when you only use one
Organization in WC.



3. After you configured the jndiAdapter you should add the name of the
jndiAdapter to the wt.federation.org.directoryServices in wt.properties



4. You should now be able to log into WC still with your local site
Administrator (LDAP) and from the principal Admin tool you should be able to
search any users (both LDAP and MSAD). The
wt.federation.org.directoryServices specify the adapters you will be using
searching for people. If you can only search users in local LDAP then your
jndiAdapter is wrong configured.



5. Last step is to configure Apache. With Apache 2.2 you are able to
connect to two directoryserices, such as one LDAP and one MSAD. IIS can
connect to as many you like.

You have two configuration files you need to update for correct
authenticaton:

app-Windchill-Auth.conf

app-Windchill-AuthProvider.xml

In here you see two providers: Windchill-AdministrativeLdap &
Windchill-EnterpriseLdap

The AdministrativeLDAP is entended to point to local LDAP

The EnterpriseLDAP is intendted to point to your MSAD



You need to update the Enterprise properties in both files with the
credentials you specified at the very first step connection with a LDAP
Browser.


1 REPLY 1



In Reply to Henrik Andersen:

Hello Henrik,

I was going through this post and wanted to confirm with you following. I have a setup with AD configured using JNDI adapter etc , for the last ( optional) step , i.e.

Note: Normally WC has only read access to the MSAD system, but if you like
to update and create users from WC in MSAD you need to update you
mapCredentials.xml, but this step is only if you have write access to MSAD.

I already modified mapCredential.xml and also have write access to MSAD , but when I try to update user info, ( using Aphelion Browser) , it gives me error message as

Root error: [LDAP: error code 53 - 00002035: LdapErr: DSID-0C090A36, comment: Operation not allowed through GC port, data 0, vece

IS port 3268 is issue? can you please provide your feedback

Kamlesh


Gerry



The steps to integrate an external directory service such as MSAD is
following:



1. Try and connect to MSAD with your local LDAP Browser and add in
here the credentials for a user in MSAD who has read permissions.

a. Host

b. Check Anonymous bind

c. userDN

d. Password

If you are able to browse the MSAD structure then you have an open
connection to MSAD and the values you have not entered should be used in
your jndiAdapter.



2. Second step is to create a jndiAdapter. You can do this from your
Info*Engine page. After you added the credentials from your LDAP Browser you
must also specify the properties at the very end of jndiAdapter
configuration page.

In R9.1 you can also map groups to MSAD

In R9.1 you can also use an property for the organization in your
jndiAdapter configuration instead of having a property in MSAD designated
only for WC integration. This option is only possible when you only use one
Organization in WC.



3. After you configured the jndiAdapter you should add the name of the
jndiAdapter to the wt.federation.org.directoryServices in wt.properties



4. You should now be able to log into WC still with your local site
Administrator (LDAP) and from the principal Admin tool you should be able to
search any users (both LDAP and MSAD). The
wt.federation.org.directoryServices specify the adapters you will be using
searching for people. If you can only search users in local LDAP then your
jndiAdapter is wrong configured.



5. Last step is to configure Apache. With Apache 2.2 you are able to
connect to two directoryserices, such as one LDAP and one MSAD. IIS can
connect to as many you like.

You have two configuration files you need to update for correct
authenticaton:

app-Windchill-Auth.conf

app-Windchill-AuthProvider.xml

In here you see two providers: Windchill-AdministrativeLdap &
Windchill-EnterpriseLdap

The AdministrativeLDAP is entended to point to local LDAP

The EnterpriseLDAP is intendted to point to your MSAD



You need to update the Enterprise properties in both files with the
credentials you specified at the very first step connection with a LDAP
Browser.


Announcements


Top Tags