cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Using Active Directory with multiple user branches

gchampoux
7-Bedrock

Using Active Directory with multiple user branches

I am trying to test-install Windchill Intralink 9.1 M060, using Active Directory for the Enterprise LDAP.
Unfortunately, I know little about AD. It is managed by others.

When specifying the "Base Distinguished Name for Enterprise Users", I tried:
cn=Users,dc=williams-int,dc=com

The above worked, but this branch contains only administrative users.
Our general users are under multiple branches, one for each of our locations/facilities.
For example, I could specify the following for a facility:

cn=Users,cn=Site1,dc=williams-int,dc=com
or cn=Users,cn=Site2,dc=williams-int,dc=com
etc.

How can I specify a single Base Distinguished Name for all sites?
Are wild-cards allowed?

8 REPLIES 8
avillanueva
22-Sapphire II
(To:gchampoux)

We opted to go to the level above both branches.


Thanks to all the replied.

Between your recommendations and that of our AD administrator, I got it working.

Here is what we had to do:

  • During the install, I set the "Base Distinguished Name for Enterprise Users" to our top-level only:
    dc=williams-int,dc=com
    Several people recommended this, but it was not enough. See below.

  • Set the LDAP search scope to "SUBTREE".
    It took a little experimenting to find out where and how to do this.
    1) In Windchill, launch the "Info*Engine Administrator". (Site > Utilities)
    2) Login in using "cn=manager" as the principal.
    3) Click on the enterprise LDAP adapter for the AD server. Ours is "com.williams-int.domainsrv".
    4) Change the "LDAP Search Scope" to "SUBTREE".
    5) Save (OK), close everything, and restart all Windchill components.
Gerry

Hi,

We have the same sort of AD configuration where we have multiple sites in different branches of AD. We hence did the same as you have and referenced the AD branch above all the sites and selected SUBTREE search in InfoEnginer.

BUT, the problem with this is that we also have other AD items under each site branch as well as User ID's: such as PC's etc. Windchill thinks that these are hence usernames.

Is there someway that it is possible to specify several different user locations in AD so that we can specify only the exact AD branches with users?

I wonder if there is a filter that can be applied - perhaps to the AuthLDAPURL string in the file C:\ptc\Apache\Conf\Extra\app-Windchill-Auth.conf ?

Here is my current string:

AuthLDAPURL ldap://prtc-ad3-01.stc.ricplc.com:3268/DC=ricplc,DC=com?sAMAccountName?sub?(objectClass=*)

Is it possible to change the objectClass=* to something that only returns users?

Rgds

Gary Mansell

jessh
12-Amethyst
(To:gchampoux)

If you're using Apache 2.2.x (i.e. the Apache used/required by recent
versions of Windchill except on HPUX, where we're not at Apache 2.2
until R10), then you can specify as many different LDAP branches as you
wish to it and Windchill.

On the other hand, looking at

I'd suggest working withthe technical folks that designed, configured, and/or run your Active Directoryserver - they'll be able toadvise youabout the layout and best usage of the data in your AD.

If you haven't done so already, you shouldread & re-read the section entitled: "Configuring Additional Enterprise Directories" in the "Windchill Advanced Install & Configuration Guide." In particular, you should read & work with your Active Directory staff to come up with the mappings described in the "Mapping User and Group and Group LDAP Values in an Existing Directory" section of that same guide - be sure to look for the section relating to Active Directory, and not plain LDAP.

Be sure to configure "Additional Properties" in the Windchill LDAP Adapter configuration (using I*E Administrator) you might need to help limit the scope of objects that Windchill "sees" in your directory; for instance:

  1. <adapter-name>.windchill.mapping.user.filter - an LDAP filter to restrict Windchill's search of the directory only to users belonging to certain directory groups, or of a particular object type, etc.
  2. <adapter-name>.windchill.mapping.user.objectClass - specifies the type of object containing "user" information for Windchill

...and others.

Also, be sure to configure two places to match each-other (if you're using the standard Windchill Apache Webserver configuration):

  1. Windchill's Apache Webserver (as another posted mentioned) - does initial authentication (see file: "Apache/conf/extra/app-Windchill-AuthProvider.xml" and command "ant -f webAppConfig.xml addAuthProvider -DappName=Windchill")
  2. Windchill's LDAP Adapter (as you mentioned) - for user lookups, etc.


In Reply to Gerry Champoux:

Thanks to all the replied.

Between your recommendations and that of our AD administrator, I got it working.

Here is what we had to do:

  • During the install, I set the "Base Distinguished Name for Enterprise Users" to our top-level only:
    dc=williams-int,dc=com
    Several people recommended this, but it was not enough. See below.

  • Set the LDAP search scope to "SUBTREE".
    It took a little experimenting to find out where and how to do this.
    1) In Windchill, launch the "Info*Engine Administrator". (Site > Utilities)
    2) Login in using "cn=manager" as the principal.
    3) Click on the enterprise LDAP adapter for the AD server. Ours is "com.williams-int.domainsrv".
    4) Change the "LDAP Search Scope" to "SUBTREE".
    5) Save (OK), close everything, and restart all Windchill components.
Gerry

A few people had replied to say that they too had used the SUBTREE option to get all AD users from multiple branches.
They (and I) saw an odd side-effect: Other objects (non-user) were included as well, especially computer names.
Although this was not a problem, it is a bit of a nuisance when searching/listing users.
With the help of my AD administrator, we were able to filter as follows:

In Info*Engine, edit the AD adapter and set this property:
com.williams-int.EnterpriseLdap.windchill.mapping.user.filter: (objectCategory=user)(objectClass=person)
If the property does not already exist, just add it.

And in my case, I also wanted to exclude all AD groups, as I intend to have all Windchill groups defined in Windchill DS only.
All I needed to do was set this property in the adapter:
com.williams-int.EnterpriseLdap.windchill.mapping.group.filter: cn=dummygroupname
Where dummygroupname is any group that does not exist in AD.

Gerry


Thanks to all the replied.

Between your recommendations and that of our AD administrator, I got it working.

Here is what we had to do:

  • During the install, I set the "Base Distinguished Name for Enterprise Users" to our top-level only:
    dc=williams-int,dc=com
    Several people recommended this, but it was not enough. See below.

  • Set the LDAP search scope to "SUBTREE".
    It took a little experimenting to find out where and how to do this.
    1) In Windchill, launch the "Info*Engine Administrator". (Site > Utilities)
    2) Login in using "cn=manager" as the principal.
    3) Click on the enterprise LDAP adapter for the AD server. Ours is "com.williams-int.domainsrv".
    4) Change the "LDAP Search Scope" to "SUBTREE".
    5) Save (OK), close everything, and restart all Windchill components.
Gerry

Gerry,

Thanks for this - your suggestion has solved my issue too.

I have further enhanced your solution to also exclude all non-enabled AD users by further modifying the Info*Engine filter:

com.williams-int.EnterpriseLdap.windchill.mapping.user.filter:(objectCategory=user)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Hope that helps...

Gary Mansell

Just an FYI,

The higher the branch, the more entries the results must be able to search you may get a 2000 reached limit when searching your AD.Ask your AD administrator to increase the entry limit to say 4000 to 10000. Aside note,if you are planning to have multiple forest you are going to have to move to mapping Windchill user to AD principal name.

Announcements


Top Tags