- 浏览: 121274 次
- 性别:
- 来自: 武汉
最新评论
说明
This article describes how to configure Windchill with Active Directory. Please see "Additional Information" section for detailed instruction.
附加信息
Create a JNDI adapter using the Info*Engine administrator. A typical name is <domainname_ reversed>.EnterpriseLdap i.e. com.example.EnterpriseLdap.
Almost always you would want to use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389).
If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition.
If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.
The following Microsoft TechNet article explains how global catalog works:
http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true
There can be other serious issues if Windchill is configured with Active Directory using the default 389 port.
Please see TPI 132744 (https://www.ptc.com/appserver/cs/view/solution.jsp?n=132744 ) for details.
A typical configuration would be like:
Append the JNDI adapter name to "wt.federation.org.directoryServices" property. For example:
Now create a "Repository" using the Task Delegate Administrator:
. Open "Task Delegate Administrator" by going to "Site>Utilities>Info*Engine Administrator>Task Delegate Administrator" and click "Manage Repository".
. The repository name must be the adapter name backwards. For example:
A quick test at this time is to restart Windchill and to open the Principal Administrator. A search for users for example displays ADS users, if the setup is correct.
If you use Apache as the Web Server then you have to configure its authentication properties to point to Active Directory.
For Apache 2.0.XX edit <Apache_Load_Point>/conf/app-<replace_your_app_name>.properties file (ie: "<Apache_Load_Point>/conf/app-Windchill.properties") like the following way:
(Be sure to escape with backslash "\" all colons ":" and equal signs "=")
For Apache 2.2.XX edit <Apache_Load_Point>/conf/extra/app-<replace_your_app_name>-AuthProvider.xml (ie: "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml") like the following way:
Apache 2.0.XX can only bind to one LDAP server. So once you configure Apache with Active Directory then the users created earlier (i.e. the Site Admin a.k.a "wcadmin") will not be able to login to Windchill. This issue can be addressed by enabling Apache's "password" file.
Execute the following command in a Windchill shell and from the Apache load point folder to enable Apache's "password" file:
NOTE:
1. You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result poor performance.
2. If you have an Active Directory forest then the "sAMAccountName" name might not be unique across different Active Directory domains.
In that case please use the "userPrincipalName". The format of the "userPrincipalName" is <sAMAccountName>@<the_domain_name> which guaranties "userPrincipalName" to be unique across different domains.
Almost always you would want to use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389).
If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition.
If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.
The following Microsoft TechNet article explains how global catalog works:
http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true
There can be other serious issues if Windchill is configured with Active Directory using the default 389 port.
Please see TPI 132744 (https://www.ptc.com/appserver/cs/view/solution.jsp?n=132744 ) for details.
A typical configuration would be like:
Service Name: com.example.EnterpriseLdap Runtime Service Name: com.example.EnterpriseLdap Service Class: com.infoengine.jndi.JNDIAdapterImpl Host: (leave it blank) Port: (leave it blank) Provider Url: ldap://activedirectoryhost.example.com:3268 Directory System Agent User: CN=Bind User,CN=Users,DC=example,DC=com Directory System Agent Credentials: <Password_for_Bind_User> Search Base: CN=Users,DC=example,DC=com <Please see NOTE 1 for more information> LDAP Search Scope: SUBTREEAdditional Properties:
com.example.EnterpriseLdap.windchill.mapping.user.objectClass:user com.example.EnterpriseLdap.windchill.mapping.usersOrganizationName:<Windchill_Organization_Name> <This property works on M030 and up> com.example.EnterpriseLdap.windchill.mapping.user.uid:sAMAccountName <Please see NOTE 2 for more information> com.example.EnterpriseLdap.windchill.mapping.user.uniqueIdAttribute:sAMAccountName <Please see NOTE 2 for more information>
Append the JNDI adapter name to "wt.federation.org.directoryServices" property. For example:
wt.federation.org.directoryServices=$(wt.federation.org.defaultAdapter),com.example.EnterpriseLdapPlease make sure that all adapters are spearated by comma only, there should not be included space or tabs characters.
Now create a "Repository" using the Task Delegate Administrator:
. Open "Task Delegate Administrator" by going to "Site>Utilities>Info*Engine Administrator>Task Delegate Administrator" and click "Manage Repository".
. The repository name must be the adapter name backwards. For example:
EnterpriseLdap.example.com. The repository type must be
com.ptc.windchill-ldap. The repository Webject and Task Processors should be the same as the out of the box LDAP adapter's (the one for Aphelion). For example:
Webject Processor: com.example.<Windchill_Host_Name>.Windchill Task Processor: com.example.<Windchill_Host_Name>.Windchill
A quick test at this time is to restart Windchill and to open the Principal Administrator. A search for users for example displays ADS users, if the setup is correct.
If you use Apache as the Web Server then you have to configure its authentication properties to point to Active Directory.
For Apache 2.0.XX edit <Apache_Load_Point>/conf/app-<replace_your_app_name>.properties file (ie: "<Apache_Load_Point>/conf/app-Windchill.properties") like the following way:
(Be sure to escape with backslash "\" all colons ":" and equal signs "=")
apacheWebApp.ldapUrl=ldap\://activedirectoryhost.example.com\:3268/DC\=example,DC\=com?sAMAccountName?sub?(objectClass\=*) <Please see NOTE 2 for more information> apacheWebApp.bindDn=CN\=Administrator,CN\=Users,DC\=example,DC\=com apacheWebApp.bindPwd=<password_for_Administrator> apacheWebApp.anonBind=false
For Apache 2.2.XX edit <Apache_Load_Point>/conf/extra/app-<replace_your_app_name>-AuthProvider.xml (ie: "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml") like the following way:
<?xml version="1.0" encoding="UTF-8"?> <!--Web App Auth Providers List--> <providers enableNTLM="false"> <provider> <name>Windchill-ldap</name> <ldapUrl>ldap://windchillhost.example.com/ou=people,cn=Windchill,cn=Application%20Services,o=example</ldapUrl> </provider> <provider> <name>Windchill-EnterpriseLdap</name> <ldapUrl>ldap://activedirectoryhost.example.com:3268/CN=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)</ldapUrl> <bindDn>CN=Bind User,CN=Users,DC=example,DC=com</bindDn> <bindPwd><Password_for_Bind_User></bindPwd> </provider> </providers>To propagate these properties into .conf files, execute the following command in a Windchill shell and from the Apache load point folder:
ant -f webAppConfig.xml regenWebAppConf
Apache 2.0.XX can only bind to one LDAP server. So once you configure Apache with Active Directory then the users created earlier (i.e. the Site Admin a.k.a "wcadmin") will not be able to login to Windchill. This issue can be addressed by enabling Apache's "password" file.
Execute the following command in a Windchill shell and from the Apache load point folder to enable Apache's "password" file:
ant -f webAppConfig.xml regenWebAppConf -DappName=<WebApp_Name> -DpwdFileEnabled=true -DpwdFilename=<Name_of_the_password_file>After enabling the password file, execute the following command from the <Apache_Load_Point>/bin folder to add a user to the password file:
htpasswd <Path_to_the_password_file> wcadmin
NOTE:
1. You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result poor performance.
2. If you have an Active Directory forest then the "sAMAccountName" name might not be unique across different Active Directory domains.
In that case please use the "userPrincipalName". The format of the "userPrincipalName" is <sAMAccountName>@<the_domain_name> which guaranties "userPrincipalName" to be unique across different domains.
发表评论
-
How to deactivate a user in Windchill?
2012-10-17 22:09 1021Introduction Procedure base ... -
How to shorten display time for the inline message in Windchill 10.0
2012-09-03 00:24 1237标题 How to shorten display ... -
How to perform SaveAs on WTPart using API in Windchill PDMLink 10.0
2012-04-05 18:38 1563标题 How to perform SaveAs ... -
Manual Installation Steps For Archive Client Installation on Red Hat Linux 4.0
2012-03-31 19:18 1013On Red hat Linus 4.0 (64-Bit), ... -
Windchill单点登录方案
2012-03-31 00:20 3186Windchill SSO 单点登录 可下载附件查看。 ... -
如何在Windchill PDMLink 9.1设定多个Background Method Server去执行特定的工作流
2012-03-31 00:17 2697标题 如何在Windchill PDMLink 9.1 ... -
通过IE8访问Windchill PDMLink 10.0,出现警告提示"Windchill 只支持标准模式下的浏览器".
2012-03-31 00:15 3079标题 通过IE8访问Windchill PDMLink ... -
JSP Authentication with the Method Server
2012-02-07 20:31 3099During development for a cus ... -
Solution for searching the latest revision object
2012-02-01 11:44 1047// Implement your query ... -
Solution for search object with IBA Attribute
2012-02-01 11:39 1503QuerySpec qs = new Quer ... -
Required Ports for Windchill
2011-10-29 18:53 1083Windchill utilizes multiple por ... -
[WIP] How to see the document creator full name instead of the login name in DTI
2011-09-07 14:23 880标题 [WIP] How to see the doc ... -
Windchill Project Daily Build
2011-08-26 22:54 717下载软件: ant svnant sliksvn htt ... -
How to set schedule for Synchronization from Replica to Master?
2011-08-23 10:17 1118To do this, please follow these ... -
copy user from team administrator to workflow team.
2011-07-16 12:14 1674The code can be used directly i ... -
How to Disallow Anonymous Access to Aphelion LDAP?
2011-06-12 17:34 1677Description This TPI add ... -
MethodServer Exits Prematurely With the Error *com.ptc.windchill.upgrade.history
2011-06-11 23:39 2933Description ---------------- ... -
从Aphelion迁移至WindchillDS
2011-06-11 23:00 955假设: 1. Aphelion ... -
Taking the Windchill System Offline
2011-06-09 22:20 1222Description This documen ... -
浅谈基于Info*Engine的Windchill系统集成应用
2011-06-09 21:04 3527...
相关推荐
How to configure DCM UDS with the DEXT Editor.pdf
This article introduces how to configure ODBC DSN in Server to access local DB2 for windows in detail. Then I give a sample how to access local DB2 database with ODBC by DB Query Analyzer expediently.
Then I give a sample how to access remote DB2 database with ODBC by DB Query Analyzer expediently. It’s also applicable to configure ODBC DSN to access remote DB2 for other OS such as Aix, Linux, ...
How to Configure Odoo 13 on Pycharm Ubuntu 18 ubuntu18下安装ODOO13 pycharm配置ODOO13开发环境
在工业自动化领域,PROFIBUS是一种广泛使用的现场总线标准,它允许自动化设备进行高速数据交换。Siemens Step7是西门子用于编程其SIMATIC系列PLC的软件。配置Anybus PROFIBUS Slave模块与Siemens Step7 PLC涉及将...
In addition, you will learn to work with Group Policy to deploy software and configure a computer or user environment. Finally, you will learn troubleshooting techniques that are valuable to the ...
这份应用说明文档提供了在 RTA-CAR 9.1.0 VRTA Starter Kit 上配置 XCP(测量和校准协议)的详细步骤。XCP 配置涉及对 DBC 和 DBF 文件的更新,ECU 配置的更新,XCP BSW 模块的配置,BswM 动作列表的初始化,SWC 的...
这份文档是一份全面的技术指南,用于指导用户如何在RTA-BSW中配置看门狗(Watchdog)的监控功能。看门狗是一种安全机制,用于确保汽车电子控制单元(ECU)中软件组件的正确运行。文档涵盖了从基础概念到具体配置步骤...
This is the python code for connecting to microsoft active directory. The user has to manully configure the AD Server details before placing these python files in server.
简单使用示例 # Configure the AD Providerprovider " activedirectory " { host = " ad.example.org " domain = " example.org " use_tls = false user = " admin " password = " password "}# Add computer to ...
System Configuration covers system-wide settings for the global memory pool, tick frequency, ISR...Event Recorder Configuration provides several parameters to configure RTX for usage with Event Recorder.
Learn how to install, configure, run, and customize Grunt Example-driven and filled with tips to help you create custom Grunt tasks In Detail In recent times, modern web browsers have become the ...
how to configure or add a new modem to a workstation network, so we can use 2 line of connection
this is a powerful tool to configure network, please download both clientside and serverside.
How to configure windows iis with asp.net
You'll learn how to configure your network from the ground up, starting by setting up your virtual test environment with basics like DNS and active directory, through common network services, and ...
Chapter 1, Upgrading to vSphere 6.5, will teach you how to upgrade your existing environment to the vSphere 6.5, and you will also learn how to migrate vCenter running onWindows to appliance. ...
Moving forward, you will learn how to configure your virtual machine to ensure it continues to function in the event of a disaster. With plenty of screenshots offering a play-by-play account of how ...
and how it fits into the growing containerization trendIntegrate Kubernetes into your workflow alongside continuous delivery tools to address today's operational challengesGet to grips with a wide ...