Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X
I am trying to test-install Windchill Intralink 9.1 M060, using Active Directory for the Enterprise LDAP.
Unfortunately, I know little about AD. It is managed by others.
When specifying the "Base Distinguished Name for Enterprise Users", I tried:
cn=Users,dc=williams-int,dc=com
The above worked, but this branch contains only administrative users.
Our general users are under multiple branches, one for each of our locations/facilities.
For example, I could specify the following for a facility:
cn=Users,cn=Site1,dc=williams-int,dc=com
or cn=Users,cn=Site2,dc=williams-int,dc=com
etc.
How can I specify a single Base Distinguished Name for all sites?
Are wild-cards allowed?
Thanks to all the replied.
Between your recommendations and that of our AD administrator, I got it working.
Here is what we had to do:
Hi,
We have the same sort of AD configuration where we have multiple sites in different branches of AD. We hence did the same as you have and referenced the AD branch above all the sites and selected SUBTREE search in InfoEnginer.
BUT, the problem with this is that we also have other AD items under each site branch as well as User ID's: such as PC's etc. Windchill thinks that these are hence usernames.
Is there someway that it is possible to specify several different user locations in AD so that we can specify only the exact AD branches with users?
I wonder if there is a filter that can be applied - perhaps to the AuthLDAPURL string in the file C:\ptc\Apache\Conf\Extra\app-Windchill-Auth.conf ?
Here is my current string:
AuthLDAPURL ldap://prtc-ad3-01.stc.ricplc.com:3268/DC=ricplc,DC=com?sAMAccountName?sub?(objectClass=*)
Is it possible to change the objectClass=* to something that only returns users?
Rgds
Gary Mansell
I'd suggest working withthe technical folks that designed, configured, and/or run your Active Directoryserver - they'll be able toadvise youabout the layout and best usage of the data in your AD.
If you haven't done so already, you shouldread & re-read the section entitled: "Configuring Additional Enterprise Directories" in the "Windchill Advanced Install & Configuration Guide." In particular, you should read & work with your Active Directory staff to come up with the mappings described in the "Mapping User and Group and Group LDAP Values in an Existing Directory" section of that same guide - be sure to look for the section relating to Active Directory, and not plain LDAP.
Be sure to configure "Additional Properties" in the Windchill LDAP Adapter configuration (using I*E Administrator) you might need to help limit the scope of objects that Windchill "sees" in your directory; for instance:
...and others.
Also, be sure to configure two places to match each-other (if you're using the standard Windchill Apache Webserver configuration):
In Reply to Gerry Champoux:
Thanks to all the replied.
Between your recommendations and that of our AD administrator, I got it working.
Here is what we had to do:
Gerry
- During the install, I set the "Base Distinguished Name for Enterprise Users" to our top-level only:
dc=williams-int,dc=com
Several people recommended this, but it was not enough. See below.- Set the LDAP search scope to "SUBTREE".
It took a little experimenting to find out where and how to do this.
1) In Windchill, launch the "Info*Engine Administrator". (Site > Utilities)
2) Login in using "cn=manager" as the principal.
3) Click on the enterprise LDAP adapter for the AD server. Ours is "com.williams-int.domainsrv".
4) Change the "LDAP Search Scope" to "SUBTREE".
5) Save (OK), close everything, and restart all Windchill components.
A few people had replied to say that they too had used the SUBTREE option to get all AD users from multiple branches.
They (and I) saw an odd side-effect: Other objects (non-user) were included as well, especially computer names.
Although this was not a problem, it is a bit of a nuisance when searching/listing users.
With the help of my AD administrator, we were able to filter as follows:
In Info*Engine, edit the AD adapter and set this property:
com.williams-int.EnterpriseLdap.windchill.mapping.user.filter: (objectCategory=user)(objectClass=person)
If the property does not already exist, just add it.
And in my case, I also wanted to exclude all AD groups, as I intend to have all Windchill groups defined in Windchill DS only.
All I needed to do was set this property in the adapter:
com.williams-int.EnterpriseLdap.windchill.mapping.group.filter: cn=dummygroupname
Where dummygroupname is any group that does not exist in AD.
Gerry
Thanks to all the replied.
Between your recommendations and that of our AD administrator, I got it working.
Here is what we had to do:
Gerry
- During the install, I set the "Base Distinguished Name for Enterprise Users" to our top-level only:
dc=williams-int,dc=com
Several people recommended this, but it was not enough. See below.- Set the LDAP search scope to "SUBTREE".
It took a little experimenting to find out where and how to do this.
1) In Windchill, launch the "Info*Engine Administrator". (Site > Utilities)
2) Login in using "cn=manager" as the principal.
3) Click on the enterprise LDAP adapter for the AD server. Ours is "com.williams-int.domainsrv".
4) Change the "LDAP Search Scope" to "SUBTREE".
5) Save (OK), close everything, and restart all Windchill components.
Gerry,
Thanks for this - your suggestion has solved my issue too.
I have further enhanced your solution to also exclude all non-enabled AD users by further modifying the Info*Engine filter:
com.williams-int.EnterpriseLdap.windchill.mapping.user.filter:(objectCategory=user)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
Hope that helps...
Gary Mansell
Just an FYI,
The higher the branch, the more entries the results must be able to search you may get a 2000 reached limit when searching your AD.Ask your AD administrator to increase the entry limit to say 4000 to 10000. Aside note,if you are planning to have multiple forest you are going to have to move to mapping Windchill user to AD principal name.