cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X

using Active Direcotory for only Authentication

Go to solution
ykim-9
7-Bedrock
7-Bedrock
‎Jun 04, 2019 10:42 PM
‎Jun 04, 2019 10:42 PM

using Active Direcotory for only Authentication

Hello.

I'm trying to only Auth by Active Directory, but service start by WindchillDS.

I want below process.

If AD user(by AD join Computer) try to access Windchill, authentication occur(SSO) then same ID in WindchillDS Ldap can start service.   

and user in not AD have to enter Windchill Ldap account for can start service.

Because there is not all member in Active Directory.

AD and WindchillDS both can authentication but using service is only WindchillDS Ldap user.

AD user have same ID in WindchillDS.

Is it possible? Please help.

product is Windchill PDMLink 10.2 M030. Thanks,

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
TomU
23-Emerald IV
23-Emerald IV
(To:ykim-9)
‎Jun 05, 2019 12:20 AM
‎Jun 05, 2019 12:20 AM

  1. Windchill and Apache are both capable of authenticating with multiple LDAPs, so Active Directory and Windchill DS can both be used for authentication.  The order in which the LDAP providers are queried is based on the order they are listed in the configuration files.
  2. It is also possible to have some users defined in one LDAP (Active Directory) and other users defined in another LDAP (Windchill DS).
  3. It is NOT possible to have the same users present in multiple LDAPs unless you are using a split system where Apache is authenticating against one LDAP (ex. AD only) and Windchill is locating it's accounts from another LDAP (ex. Windchill DS only.)

Based on your questions, I think option three is probably what you are trying to do.

  1. Define all users in Windchill DS.
  2. Configure Apache to authenticate against Active Directory first, then Windchill DS if the user isn't found.
  3. Do NOT configure Windchill to 'see' Active Directory (no new adapter in Windchill, InfoEngine, etc.)

With this configuration, if a user exists in Active Directory and Windchill DS, they can log on.  If a user does not exist in Active Directory but does exist in Windchill DS, they also can log on.  Finally, if a user only exists in Active Directory but does not exist in Windchill DS, they cannot log on.

 

These articles may help as well:

View solution in original post

Notify Moderator
3 REPLIES 3
TomU
23-Emerald IV
23-Emerald IV
(To:ykim-9)
‎Jun 05, 2019 12:20 AM
‎Jun 05, 2019 12:20 AM

  1. Windchill and Apache are both capable of authenticating with multiple LDAPs, so Active Directory and Windchill DS can both be used for authentication.  The order in which the LDAP providers are queried is based on the order they are listed in the configuration files.
  2. It is also possible to have some users defined in one LDAP (Active Directory) and other users defined in another LDAP (Windchill DS).
  3. It is NOT possible to have the same users present in multiple LDAPs unless you are using a split system where Apache is authenticating against one LDAP (ex. AD only) and Windchill is locating it's accounts from another LDAP (ex. Windchill DS only.)

Based on your questions, I think option three is probably what you are trying to do.

  1. Define all users in Windchill DS.
  2. Configure Apache to authenticate against Active Directory first, then Windchill DS if the user isn't found.
  3. Do NOT configure Windchill to 'see' Active Directory (no new adapter in Windchill, InfoEngine, etc.)

With this configuration, if a user exists in Active Directory and Windchill DS, they can log on.  If a user does not exist in Active Directory but does exist in Windchill DS, they also can log on.  Finally, if a user only exists in Active Directory but does not exist in Windchill DS, they cannot log on.

 

These articles may help as well:

Notify Moderator
ykim-9
7-Bedrock
7-Bedrock
(To:TomU)
‎Jun 11, 2019 01:52 AM
‎Jun 11, 2019 01:52 AM

Thank you!! very helpful!
 

I found this configuration cannot add user in 'Participant Adminitrator' after add AD Id. only can in WindchillDS.
 

I have one more question.

WindchillDS have password policy, sending mail before expiration. Is there a way to seperate notifications? I think AD user will confusing when they receive notification about password expiration from WindchillDS.

0 Kudos
Notify Moderator
TomU
23-Emerald IV
23-Emerald IV
(To:ykim-9)
‎Jun 11, 2019 09:57 PM
‎Jun 11, 2019 09:57 PM

If only Apache has been configured to talk to Active Directory, and Windchill itself has not, then configuring participants through participant administration will still work fine since it is only 'seeing' Windchill DS.

 

As far as password expiry notifications from Windchill DS, don't use them.  Just turn them off.  Since the users are defined in Active Directory there is no reason for their passwords to ever need to expire in Windchill DS.  The passwords in Windchill DS don't matter since they won't be authenticated against as long  as these users continue to exist in Active Directory.

0 Kudos
Notify Moderator
Top Tags