[HIDE="1"]
How to configure access to Microsoft Active Directory in Windchill PDMLink
Created: 09-Sep-2011 | Modified: 08-Feb-2017
Applies To
- Arbortext Content Manager
- Windchill PDM Essentials
- Pro/INTRALINK 8.x +
- Windchill ProjectLink
- Windchill PDMLink 6.2 to 11.0
Description
- How to configure EnterpriseLdap to access a Corporate LDAP server.
- How to configure JNDIAdapter to access a Microsoft Active Directory (AD , ADS) server.
- How to configure Windchill PDMLink to access Microsoft Active Directory server.
Resolution
- Prerequisites
- Refer to the article Для просмотра ссылки Войди или Зарегистрируйся which describes the general steps to configure Windchill to connect to an LDAP server.
- Also, consult the section Для просмотра ссылки Войди или Зарегистрируйся in the Windchill Help Center for further information on the required steps.
- The steps below discuss the specific steps when setting up access to Active Directory.
- Configuring the JNDI Adapter for Active Directory:
- During the configuration of the JNDI Adapter, the following changes should be considered.
- Provider URL:
- Set the Provider URL to use the Active Directory Global Catalog port 3268 instead of the default LDAP port 389.
- Accessing the Global Catalog will give Windchill access to all objects in the Active Directory forest.
- The Global Catalog will only provide a limited subset of attributes compared to the LDAP port.
- For additional information on the Active Directory Global Catalog, see the following Microsoft Technet Articles:
- Additional Properties:
- All Additional Properties are of the form <Runtime Service Name>.<propertyName> = <value>.
- The following Additional Properties should be considered for Active Directory.
<Runtime Service Name>.windchill.config.doesNotContainGroups:
- As an external Corporate Directory it may not be appropriate for Windchill to use groups defined in AD.
<Runtime Service Name>.windchill.config.readOnly:
- As an external Corporate Directory it may not be appropriate for Windchill to write to AD.
- See Для просмотра ссылки Войди или Зарегистрируйся for additional details on these properties.
- Schema attribute mapping:
- The Active Directory schema does not match Windchill Directory Server.
- At a minimum, the following Additional Properties must be added to map Windchill attributes to AD attributes.
<Runtime Service Name>.windchill.mapping.user.objectClass=user
<Runtime Service Name>.windchill.mapping.user.uid=sAMAccountName
<Runtime Service Name>.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
<Runtime Service Name>.windchill.mapping.user.o=company
- If .windchill.config.doesNotContainGroups is not set to true, then the following group schema mappings must be added:
<Runtime Service Name>.windchill.mapping.group.cn=cn
<Runtime Service Name>.windchill.mapping.group.objectClass=group
<Runtime Service Name>.windchill.mapping.group.uniqueIdAttribute=sAMAccountName
<Runtime Service Name>.windchill.mapping.group.uniqueMember=member
- Directory Type:
- The following Additional Property should be set to enable Windchill to support using paged results for large query results in AD:
<Runtime Service Name>.windchill.config.directoryType=ADS
- User Organization Mapping:
- The following Additional Property can be considered to map AD users to a specific Windchill Organization:
<Runtime Service Name>.windchill.mapping.usersOrganizationName
- See Для просмотра ссылки Войди или Зарегистрируйся for additional information on mapping LDAP users to Windchill Organizations:
- Filters:
- The following Additional Property can be considered to additionally filter users in AD:
<Runtime Service Name>.windchill.mapping.user.filter
See
Для просмотра ссылки Войди или Зарегистрируйсяfor more details on user filter
- The following Additional Property can be considered to additionally filter groups in AD
<Runtime Service Name>.windchill.mapping.group.filter
- See Для просмотра ссылки Войди или Зарегистрируйся for additional information on configuring these filters
- For additional information , see the Help Center Topic Для просмотра ссылки Войди или Зарегистрируйся
2:
Configuring the Repository
- There are no differences when configuring a repository for an AD JNDI Adapter.
3:
Setting Map Credentials:
- There are no differences when configuring Map Credentials for an AD JNDI Adapter.
- To find exactly Bind User DN it refers to following step:
- Open command window on the Active Directory server
- Run below command.
dsquery user.
4:
Setting the Federated Directories property:
- There are no differences when configuring the Federated Directories properties for an AD JNDI Adapter.
5:
Configuring Apache Authentication:
Option 1
From a Windchill shell in the
<Apache> directory, run the following command
ant -f webAppConfig.xml addAuthProvider -DproviderName=<NAME> "-DldapUrl=ldap://<LDAP Host>:<LDAP Port>/<SearchBase>?sAMAccountName?sub?(objectClass=user)" "-DbindDn=<Bind User DN>" "-DbindPwd=<Password>"
Where
<Name> is a uniquename for this adapter : CorpLdap
<LDAP Host> is the hostname of the LDAP server
<LDAP Port> is the port used by LDAP (optional)
<SearchBase> is the search base. Should match the base set in the JNDI Adapter, eg, ou=users,dc=mydomain,dc=com
<Bind User DN> is the full DN of the user that will connect to LDAP to perform the searches. Should match the DN used in step 3
<Password> the password of the bind user.
Option 2
1. Before 11.0, Edit
Apache\conf\extra\app-Windchill-AuthProvider.xml.
After 11.0 , Edit
Apache\conf\app-Windchill-AuthProvider.xml.
2. Add an additional provider section in the form,
<provider>
<name>Windchill-<adaptername></name>
<ldapUrl>ldap://<ldaphostname>:<ldapport>/<searchbase>?sAMAccountName?sub?(objectClass=user)</ldapUrl>
<bindDn><Bind User DN></bindDn>
<bindPwd><Password></bindPwd>
</provider>
Where
<adaptername> is a unique name for the adapter, eg CorpLDap
<ldaphostname> is the hostname of the LDAP server which should match the LDAP hostname in step 1
:<ldapport> is an optional port number if the LDAP server is not using port 389
<searchbase> is the search base for the LDAP server which should match the search base in step 1
<Bind User DN> is the user DN used to connect to LDAP which should match the DN used in step 3
<Password> is the password for this user which should match the password used in step 3
For example:
<provider>
<name>Windchill-CorpLdap</name>
<ldapUrl>ldap://corpldap.mydomain.com/ou=users,dc=mydomain,dc=com?sAMAccountName?sub?(objectClass=user)</ldapUrl>
<bindDn>cn=WCAccess,ou=users,dc=mydomain,dc=com</bindDn>
<bindPwd>password</bindPwd>
</provider>
3. From a Windchill shell in the Apache directory run
ant -f webAppConfig.xml regenWebAppConf
6: If AD users/groups need to be searched in Windchill, do the following:
Open
Windchill Shell and run:
xconfmanager -t codebase\wt.properties -s wt.federation.org.directoryServices="$(wt.federation.org.defaultAdapter),$(wt.federation.org.enterpriseAdapter),<AD-JNDI-ADAPTER>" -p
eg.
xconfmanager -t codebase\wt.properties -s wt.federation.org.directoryServices="$(wt.federation.org.defaultAdapter),$(wt.federation.org.enterpriseAdapter),ts.enxp-wnc-91.jndiAdapter" -p[/HIDE]
Так как думаю что апргейд без него может не пойти или с ошибками. :beer:
