How to Configure Windchill with Active Directory

说明

This article describes how to configure Windchill with Active Directory. Please see "Additional Information" section for detailed instruction.

附加信息

Create a JNDI adapter using the Info*Engine administrator. A typical name is <domainname_ reversed>.EnterpriseLdap i.e. com.example.EnterpriseLdap.
Almost always you would want to use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389).
If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition.
If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.

The following Microsoft TechNet article explains how global catalog works:
http:/­/­technet2.­microsoft.­com/­WindowsServer/­en/­library/­440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.­mspx?mfr=true

There can be other serious issues if Windchill is configured with Active Directory using the default 389 port.
Please see TPI 132744 (https:/­/­www.­ptc.­com/­appserver/­cs/­view/­solution.­jsp?n=132744 ) for details.

A typical configuration would be like:

 Service Name: com.example.EnterpriseLdap 
 Runtime Service Name: com.example.EnterpriseLdap
 Service Class: com.infoengine.jndi.JNDIAdapterImpl
 Host: (leave it blank)
 Port: (leave it blank)
 Provider Url: ldap://activedirectoryhost.example.com:3268
 Directory System Agent User: CN=Bind User,CN=Users,DC=example,DC=com
 Directory System Agent Credentials: <Password_for_Bind_User>
 Search Base: CN=Users,DC=example,DC=com <Please see NOTE 1 for more information> 
 LDAP Search Scope: SUBTREE 

  Additional Properties:

com.example.EnterpriseLdap.windchill.mapping.user.objectClass:user
 com.example.EnterpriseLdap.windchill.mapping.usersOrganizationName:<Windchill_Organization_Name> <This property works on M030 and up> 
 com.example.EnterpriseLdap.windchill.mapping.user.uid:sAMAccountName <Please see NOTE 2 for more information>
 com.example.EnterpriseLdap.windchill.mapping.user.uniqueIdAttribute:sAMAccountName <Please see NOTE 2 for more information>

 
Append the JNDI adapter name to "wt.federation.org.directoryServices" property. For example:

wt.federation.org.directoryServices=$(wt.federation.org.defaultAdapter),com.example.EnterpriseLdap

  Please make sure that all adapters are spearated by comma only, there should not be included space or tabs characters.

Now create a "Repository" using the Task Delegate Administrator:
. Open "Task Delegate Administrator" by going to "Site>Utilities>Info*Engine Administrator>Task Delegate Administrator" and click "Manage Repository".
. The repository name must be the adapter name backwards. For example:

 EnterpriseLdap.example.com

  . The repository type must be

 com.ptc.windchill-ldap 

. The repository Webject and Task Processors should be the same as the out of the box LDAP adapter's (the one for Aphelion). For example:

 Webject Processor: com.example.<Windchill_Host_Name>.Windchill
 Task Processor: com.example.<Windchill_Host_Name>.Windchill

 
A quick test at this time is to restart Windchill and to open the Principal Administrator. A search for users for example displays ADS users, if the setup is correct.

If you use Apache as the Web Server then you have to configure its authentication properties to point to Active Directory.

For Apache 2.0.XX edit <Apache_Load_Point>/conf/app-<replace_your_app_name>.properties file (ie: "<Apache_Load_Point>/conf/app-Windchill.properties") like the following way:
(Be sure to escape with backslash "\" all colons ":" and equal signs "=")

apacheWebApp.ldapUrl=ldap\://activedirectoryhost.example.com\:3268/DC\=example,DC\=com?sAMAccountName?sub?(objectClass\=*) <Please see NOTE 2 for more information>
 apacheWebApp.bindDn=CN\=Administrator,CN\=Users,DC\=example,DC\=com
 apacheWebApp.bindPwd=<password_for_Administrator>
 apacheWebApp.anonBind=false

 
For Apache 2.2.XX edit <Apache_Load_Point>/conf/extra/app-<replace_your_app_name>-AuthProvider.xml (ie: "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml") like the following way:
 

 <?xml version="1.0" encoding="UTF-8"?>
 <!--Web App Auth Providers List-->

 <providers enableNTLM="false">
   <provider>
      <name>Windchill-ldap</name>
      <ldapUrl>ldap://windchillhost.example.com/ou=people,cn=Windchill,cn=Application%20Services,o=example</ldapUrl>

   </provider>
   <provider>
      <name>Windchill-EnterpriseLdap</name>
      <ldapUrl>ldap://activedirectoryhost.example.com:3268/CN=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)</ldapUrl>
      <bindDn>CN=Bind User,CN=Users,DC=example,DC=com</bindDn>
      <bindPwd><Password_for_Bind_User></bindPwd>
   </provider>    
 </providers>

 To propagate these properties into .conf files, execute the following command in a Windchill shell and from the Apache load point folder:

 ant -f webAppConfig.xml regenWebAppConf

 
Apache 2.0.XX can only bind to one LDAP server. So once you configure Apache with Active Directory then the users created earlier (i.e. the Site Admin a.k.a "wcadmin") will not be able to login to Windchill. This issue can be addressed by enabling Apache's "password" file.
Execute the following command in a Windchill shell and from the Apache load point folder to enable Apache's "password" file:

 ant -f webAppConfig.xml regenWebAppConf -DappName=<WebApp_Name> -DpwdFileEnabled=true -DpwdFilename=<Name_of_the_password_file>

 After enabling the password file, execute the following command from the <Apache_Load_Point>/bin folder to add a user to the password file:

htpasswd <Path_to_the_password_file> wcadmin

 
NOTE:
1. You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result poor performance.
2. If you have an Active Directory forest then the "sAMAccountName" name might not be unique across different Active Directory domains.
In that case please use the "userPrincipalName". The format of the "userPrincipalName" is <sAMAccountName>@<the_domain_name> which guaranties "userPrincipalName" to be unique across different domains.