At my last company I setup what was called a partial AD connection. Where I just authenticated agents AD. I don't remember setting up a InfoEngine to use this. I am drawing a complete blank on how I did it and it is not in my notes. Any input and help would be great. I have read all the current information on the Help and community and still cannot figure it out.
I see you want to use AD just for authentication and keep the users in Windchill Directory Server. You are right, you don't have to configure an additional JNDI adapter for this.
<provider>
<name>Corporate-AD</name>
<ldapUrl>ldap://domain-controller.domain.com:3268/CN=Users,DC=company,DC=internal?sAMAccountName?sub?(objectClass=*)</ldapUrl>
<bindDn>an=service_Account,CN=serviceaccount,DC=company,DC=internal</bindDn>
<bindPwd>password</bindPwd>
</provider>
3. Open Windchill shell, navigate to ptc/HTTPServer and run the command, ant -f webAppConfig.xml regenWebAppConf. This will propagate the entries from above xml to conf file.
Few +ves of this approach are
We can keep the windchill user tables clean. Active Directory is extremely volatile, IT administrators would add/remove/move/rename users as per their need and often Windchill will not like it. No issues with disconnected principals, unless you delete users from Windchill DS directly. To be compliant with licensing policy, you can create a group in WindchillDS and move all the separated user accounts to this group.
Few -ves of this approach are
To add a new account, every you need to manually create user in Windchill. If you configure JNDI adapter, this will be populated automatically. Another pitfall is, if you ever have to use CFR part 11, authenticated workflow task completion, users will have to enter the password which you provide in Windchill, unless you have some third party tool for password synchronization
Thank you
Binesh Kumar
Medtronic-MITG
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
