cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

external access apache filter woes

SimonLucas
1-Newbie

external access apache filter woes


Hi,

we are currently trying to set up external access to our main PLM server, and have a secondary apache server which will control access for external clients to the system.

As part of the apache config we are trying to limit login to a particular group in Windchill DS but are having trouble getting the correct format for this filter.

The filter would end up in the 'Apache\conf\extra\app-Windchill-Auth.conf' file and so far we have the filter looking like this:

AuthLDAPURL "ldap://<server name>:<port>/ou=xxx,cn=xxx,cn=xxx,o=ptc??sub?(isMemberOf=cn=xxx,cn=xxx,o=xxx,ou=xxx,cn=xxx,cn=xxx,o=ptc)”

With this apache appears to accept the login details but we just get a spinning circle and do not progress any further. There is nothing in the MS logs either to suggest if there is an issue or otherwise. If we just have the default filter of 'AuthLDAPURL "ldap://<server name>:<port>/ou=xxx,cn=xxx,cn=xxx,o=ptc' then anyone can log in OK, but we need to filter down to the group.

The main Windchill apache then authenticates against either corp Ldap or Windchill DS as appropriate.

Any suggestions?

Cheers

forgot to add we are on 10.1 M040

Message was edited by: Simon Lucas

8 REPLIES 8
TomU
23-Emerald IV
(To:SimonLucas)

Not sure how similar 10.1 is to 10.2 in this regard, but here is what I have on my 10.2 system (edited of course):

AuthLDAPURL "ldap://<server 1 name> <server 2 name>:<port>/dc=xx,dc=com?sAMAccountName?sub?(objectClass=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=<group_1_name>,CN=Users,DC=xx,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=<group_2_name>,CN=Users,DC=xx,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=<group_3_name>,CN=Users,DC=xx,DC=com))"

By the way, I never edit the app-Windchill-Auth.conf file directly.  Instead I updated the app-Windchill-AuthProvider.xml file and then propagate the changes using the "ant -f webAppConfig.xml regenAllWebApps" command.

BineshKumar1
12-Amethyst
(To:TomU)

I agree with Tom, It is a syntax error in the ldap provider file

<ldapUrl>ldap://myldapserver.mydomain.com:3268/OU=User,DC=mydomain,dc=com?sAMAccountName?sub?(memberOf=<DN of group>)(objectClass=user)</ldapUrl>

We do have similar configuration, but we use split DNS configuration to route all the external access to reverse proxy and local users directly to WC server. Reverse proxy is in DMZ and WC is not exposed to public internet

Thanks

Binesh Kumar

Barry Wehmiller

Hi,

this sounds similar to our setup (I am not the IT guy so most of that is above my head), but I do know we are using a reverse proxy in a DMZ. I believe it is the apache in this area that we are trying to set the filter for, and only to authenticate to Windchill DS before then allowing the user through to authenticate against windchill / corp ldap as normal if that makes sense?

So if checking against Windchill DS what would the sAMAccountName be?

Apologies if I am missing something obvious here, but this area really is all new to me - I normally only worry about business config .

TomU
23-Emerald IV
(To:SimonLucas)

sAMAccountName is the specific Active Directory attribute that Apache is querying for.

sama.PNG

Edit:  I'm going to leave this here, but now after reading your original email more closely I realize you are trying to query for groups in Windchill DS, not Active Directory.  Sorry about that.  Looking back at your original syntax, I'm questioning the "isMemberOf" portion.

  • Have you tried using "memberOf" instead?  You probably should use a (free) tool to query the Windchill DS to test and tune your query.
  • Looking at your string, you seem to have the organization portion listed twice.  Might want to double check this.  My groups only list it once.

AuthLDAPURL "ldap://<server name>:<port>/ou=xxx,cn=xxx,cn=xxx,o=ptc??sub?(isMemberOf=cn=xxx,cn=xxx,o=xxx,ou=xxx,cn=xxx,cn=xxx,o=ptc)”

cn=Program Managers,ou=people,cn=AdministrativeLdap,cn=Windchill_10.2,o=ptc

Hi

How the authentication works in this case? Is that filter is on the reverse proxy or in the application layer? I would appriciate if you can give some more details about this. I'm looking for a solution for a long time to give external access only for cetain users who are coming through the RP.


Thanks

Erik

GaryMansell
6-Contributor
(To:ehetényi)

Hi,

I'm the "IT guy" working with Simon on this 🙂

We have a corporate Windchill PDMLink System on our company LAN that gets most user accounts from our Active Directory System (Enterprise LDAP) and then other admin and non direct employee account information from WindchillDS (Administrative LDAP) running on the Windchill Server.

We now want to allow external Internet access from known IP's on the Internet (of customers/suppliers etc) in to our Windchill System on the LAN so that they can access ProjectLink data that has been shared to them.

I have built a Hardened Remote Apache server located in a DMZ and have allowed access to port 389 on the WindchillDS server on the LAN so that it can use this repository to access user account info for authorising external Internet based users. It is this Apache Server being used for the remote users that we are having trouble configuring the app-Windchill-Auth.conf LDAP Search string for.

Simon has created a Group Within our Windchill System and it is located in the WindchillDS LDAP server (Administrative LDAP) on the LAN - we need to get the Apache server in the DMZ to only allow access to external users' whose accounts are in this Group in the WindchillDS LDAP.


We don't want any of our corporate users in Active Directory (Enterprise LDAP) nor any of the admin accounts or non-direct employee accounts stored in the WindchillDS LDAP (Administrative LDAP) - we only want the users that have been created in the Group that Simon has created in the Windchill / WindchillDS repository:

The Internal user accounts exist here in the Windchill DS LDAP Server:

ldap://windchill-test.ricardo.com:389/ou=people,cn=AdministrativeLdap,cn=Windchill_9.0,o=ptc

If we use this as the external apache LDAP string, it works and all the Internal WindchillDS LDAP accounts can login, but we don't want to do this, we just want a sub-group of this location.

The External user accounts exist in a sub-group of the above LDAP string, here in the WindchillDS LDAP Server -

ldap://windchill-test.ricardo.com:389/cn=External access clients,cn=Public,o=ricardo,ou=people,cn=AdministrativeLdap,cn=Windchill_9.0,o=ptc"

This has been our best stab at getting this to work, but as per Simon's original post, this does not work 😞

AuthLDAPURL "ldap://windchill.ricardo.com:389/ou=people,cn=AdministrativeLdap,cn=Windchill_9.0,o=ptc??sub?(isMemberOf=cn=External access clients,cn=Public,o=ricardo,ou=people,cn=AdministrativeLdap,cn=Windchill_9.0,o=ptc)”

I hope that helps clarify things, we would appreciate a steer to get this sorted.

Rgds

Gary

think I have it sussed now.

Based on our dev machine, got this to work

AuthLDAPURL "ldap://server:port/ou=xxxx,cn=AdministrativeLdap,cn=xxxx,o=ptc?uid?sub?(isMemberOf=cn=xxxx,cn=xxxxxc,o=xxxxx,ou=xxxxx,cn=xxxxx,cn=xxxxx,o=ptc)"

Yes - that did it !!!

Thanks everyone.

Top Tags