- 浏览: 120587 次
- 性别:
- 来自: 武汉
最新评论
Description
This TPI addresses Aphelion vulnerabilities for disallowing anonymous Aphelion LDAP access. The access control on Aphelion LDAP directory can be set with various ways. For additional detail, please refer to Access control section in the Aphelion Admin Guide. Starting with a functional working Windchill solution with Apache and Aphelion LDAP installed. In the example below two users are defined, one user can read/write in the directory i.e aphelionadmin and other one has only read access i.e. windchilluser. When the directory is accessed on behalf of the Windchill system or as an Administrator the write user is used. Otherwise, the read only user is used.
Resolution
For Windchill 7.0 solutions see Additional Information below.
For Windchill 8.0 solutions refer to the section "Restricting Access to Aphelion" found in the Info*Engine Installation and Configuration Guide.
For Windchill 8.0 solutions refer to the section "Restricting Access to Aphelion" found in the Info*Engine Installation and Configuration Guide.
Additional Information
The following are the main steps:
Step 1-> Use the Windchill Principal Administrator to define two users or use the LDAP Browser to
define two users. Create users:
Here mymachine is the distinguished name and mycompany is machine name derived from network domain. These users must have a password defined in their entry. Here we are using passwd admin and user for ahelionadmin and windchilluser respectively.
Step 2-> Add the aphelionadmin user to the Administrators group with the Principal Administrator.
Step 3-> Modify <WT_HOME>/tasks/federation/MapCredentials.xml and add the users as shown in
the snippet below.
<ie:webject name="Create-Group" type="GRP">
</ie:webject>
Step 4 -> Add the windchilluser to Apache configuration. For this example, this allows apache to access the directory in read only mode. Please make changes to <Apache loadpoint>/conf/app-Windchill.properties file for following lines:
apacheWebApp.bindDn=uid\=windchilluser,ou\=people,cn\=mymachine,cn\=application services,o\=mycompany
apacheWebApp.anonBind=false
apacheWebApp.bindPwd=user
From a shell, from the <Apache loadpoint> run:
ant -f webAppConfig.xml regenAllWebApps to regenerate the app-Windchill-Auth.conf file.
This will set the user and password that Apache uses to bind to the directory to search for users during authentication.
Step 5-> Change the properties ie.ldap.managerDn and ie.ldap.managerPw in the site.xconf file and propagate the changes. ie.ldap.managerDn should be set to the user with write permision. Using command:
Step 6 -> Make following changes in <Aphelion>\usr\var\lde\PTCLdap\PTCLdap_lde.conf to set access control for Aphelion Directory. (For UNIX, this path is /opt/lde/var/PTCLdap/PTCLdap_lde.conf)
a. Comment following line to allow anonymous access
#anonymous_access_allowed on
b. Uncomment line below
anonymous_access_allowed false
For disallowing access to config, monitor, and schema, uncomment following lines.
access to dn=config by * none
access to dn=.*,cn=monitor by * none
access to dn=schema by * none
access to dn=config by dn=cn=Manager write
access to dn=.*,cn=monitor by dn=cn=Manager write
access to dn=schema by dn=cn=Manager write
c. Change the following line to reflect the specific distinguished name (for example, aphelionadmin) that you want to use for write access:
access to dn=.*cn=Application Services,o=mycompany" by "dn=uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" write
d. Change the following line to reflect the specific distinguished name (for example, windchilluser) that you want to use for read access:
access to "dn=.*cn=mymachine,cn=application services,o=mycompany" by "dn=uid=windchilluser,ou=people,cn=mymachine,cn=Application Services,o=mycompany" read
After making the changes restart Apache, Aphelion, and Windchill. To verify, login to LDAP browser using "Anonymous bind" checked, the login should fail. Only the user with valid access right will be allowed to login. This disallows anonymous access to the directory.
Step 1-> Use the Windchill Principal Administrator to define two users or use the LDAP Browser to
define two users. Create users:
uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany and uid=windchilluser,ou=people,cn= mymachine,cn=application services,o=mycompany
Here mymachine is the distinguished name and mycompany is machine name derived from network domain. These users must have a password defined in their entry. Here we are using passwd admin and user for ahelionadmin and windchilluser respectively.
Step 2-> Add the aphelionadmin user to the Administrators group with the Principal Administrator.
Step 3-> Modify <WT_HOME>/tasks/federation/MapCredentials.xml and add the users as shown in
the snippet below.
<ie:webject name="Create-Group" type="GRP">
<% if ( isAdmin ) { %> <!------------------------------------------------------------------ Create a credentials map for users with administrative privileges ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap:DBUSER=uid=aphelionadmin,ou=people,cn=mymach ine,cn=application services,o=mycompany:PASSWD=admin"/> <!------------------------------------------------------------------ PendingUserAdapter ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap-pending:DBUSER=uid=aphelionadmin,ou=people,c n=mymachine,cn=application services,o=mycompany:PASSWD=admin"/> <!------------------------------------------------------------------ ------------------------------------------------------------------> <% } else { %> <!------------------------------------------------------------------ Create a credentials map for non-privileged users ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap:DBUSER=uid=windchilluser,ou=people,cn=mymach ine,cn=application services,o=mycompany:PASSWD=user"/> <% } %>
<ie:param name="delimiter" data=":"/> <ie:param name="group_out" data="map"/>
</ie:webject>
Step 4 -> Add the windchilluser to Apache configuration. For this example, this allows apache to access the directory in read only mode. Please make changes to <Apache loadpoint>/conf/app-Windchill.properties file for following lines:
apacheWebApp.bindDn=uid\=windchilluser,ou\=people,cn\=mymachine,cn\=application services,o\=mycompany
apacheWebApp.anonBind=false
apacheWebApp.bindPwd=user
From a shell, from the <Apache loadpoint> run:
ant -f webAppConfig.xml regenAllWebApps to regenerate the app-Windchill-Auth.conf file.
This will set the user and password that Apache uses to bind to the directory to search for users during authentication.
Step 5-> Change the properties ie.ldap.managerDn and ie.ldap.managerPw in the site.xconf file and propagate the changes. ie.ldap.managerDn should be set to the user with write permision. Using command:
xconfmanager -t "codebase/WEB-INF/ieStructProperties.txt" -s "ie.ldap.managerDn=uid= aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" -s "ie.ld ap.managerPw=admin" -p
Step 6 -> Make following changes in <Aphelion>\usr\var\lde\PTCLdap\PTCLdap_lde.conf to set access control for Aphelion Directory. (For UNIX, this path is /opt/lde/var/PTCLdap/PTCLdap_lde.conf)
a. Comment following line to allow anonymous access
#anonymous_access_allowed on
b. Uncomment line below
anonymous_access_allowed false
For disallowing access to config, monitor, and schema, uncomment following lines.
access to dn=config by * none
access to dn=.*,cn=monitor by * none
access to dn=schema by * none
access to dn=config by dn=cn=Manager write
access to dn=.*,cn=monitor by dn=cn=Manager write
access to dn=schema by dn=cn=Manager write
c. Change the following line to reflect the specific distinguished name (for example, aphelionadmin) that you want to use for write access:
access to dn=.*cn=Application Services,o=mycompany" by "dn=uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" write
d. Change the following line to reflect the specific distinguished name (for example, windchilluser) that you want to use for read access:
access to "dn=.*cn=mymachine,cn=application services,o=mycompany" by "dn=uid=windchilluser,ou=people,cn=mymachine,cn=Application Services,o=mycompany" read
After making the changes restart Apache, Aphelion, and Windchill. To verify, login to LDAP browser using "Anonymous bind" checked, the login should fail. Only the user with valid access right will be allowed to login. This disallows anonymous access to the directory.
发表评论
-
How to deactivate a user in Windchill?
2012-10-17 22:09 1012Introduction Procedure base ... -
How to shorten display time for the inline message in Windchill 10.0
2012-09-03 00:24 1220标题 How to shorten display ... -
How to perform SaveAs on WTPart using API in Windchill PDMLink 10.0
2012-04-05 18:38 1555标题 How to perform SaveAs ... -
Manual Installation Steps For Archive Client Installation on Red Hat Linux 4.0
2012-03-31 19:18 1002On Red hat Linus 4.0 (64-Bit), ... -
Windchill单点登录方案
2012-03-31 00:20 3162Windchill SSO 单点登录 可下载附件查看。 ... -
如何在Windchill PDMLink 9.1设定多个Background Method Server去执行特定的工作流
2012-03-31 00:17 2687标题 如何在Windchill PDMLink 9.1 ... -
通过IE8访问Windchill PDMLink 10.0,出现警告提示"Windchill 只支持标准模式下的浏览器".
2012-03-31 00:15 3071标题 通过IE8访问Windchill PDMLink ... -
JSP Authentication with the Method Server
2012-02-07 20:31 3092During development for a cus ... -
Solution for searching the latest revision object
2012-02-01 11:44 1039// Implement your query ... -
Solution for search object with IBA Attribute
2012-02-01 11:39 1498QuerySpec qs = new Quer ... -
Required Ports for Windchill
2011-10-29 18:53 1076Windchill utilizes multiple por ... -
[WIP] How to see the document creator full name instead of the login name in DTI
2011-09-07 14:23 873标题 [WIP] How to see the doc ... -
Windchill Project Daily Build
2011-08-26 22:54 707下载软件: ant svnant sliksvn htt ... -
How to set schedule for Synchronization from Replica to Master?
2011-08-23 10:17 1107To do this, please follow these ... -
copy user from team administrator to workflow team.
2011-07-16 12:14 1666The code can be used directly i ... -
MethodServer Exits Prematurely With the Error *com.ptc.windchill.upgrade.history
2011-06-11 23:39 2922Description ---------------- ... -
从Aphelion迁移至WindchillDS
2011-06-11 23:00 948假设: 1. Aphelion ... -
How to Configure Windchill with Active Directory
2011-06-09 22:28 3799说明 This article describe ... -
Taking the Windchill System Offline
2011-06-09 22:20 1216Description This documen ... -
浅谈基于Info*Engine的Windchill系统集成应用
2011-06-09 21:04 3517...
相关推荐
Before that time, the previous security framework provided a way to allow or disallow access to resources based on what code was executing. For example, a class loaded from another location on the ...
disallow access to resources based on what code was executing. For example, a class loaded from another location on the Internet would have been considered less trustworthy and disallowed access to ...
# This file is to prevent the crawling and indexing of certain parts # of your site by web crawlers and spiders run by sites like Yahoo! # and Google. By telling these "robots" where not to go on your...
How can we use a class Foo in a header file without access to its definition? We can declare data members of type Foo* or Foo&. We can declare (but not define) functions with arguments, and/or ...
`robots.txt`文件由几行简单的指令组成,主要包括两部分:`User-agent` 和 `Disallow`。 1. **User-agent**: 指定该指令适用于哪个或哪些用户代理(即搜索引擎的爬虫)。如果使用星号(*)作为`User-agent`,则表示该...
know how to access names in templatized base classes. 条款44:将与参数无关的代码抽离templates factor parameter-independent code out of templates. 条款45:运用成员函数模板接受所有兼容类型 use member ...
Describe the different types of indexes and how indexes can be used to improve performance. Describe what statistics are used for and how they can help in optimizing query performance. ...
WordPress博客的robots.txt文件写法得根据自身网站情况来定,当然...Disallow: /wp- Disallow: /? Disallow: /feed/ Disallow: /*/feed/ Disallow: /trackback/ Disallow: /*/trackback/ Disallow: /page/ Disallow:
安装npm install disallow-new 用法 import disallowNew from 'disallow-new' ;function MyFactory ( ) { // [SNIP]}export default disallowNew ( MyFactory ) ; 别处: let a = new MyFactory ( ) ; // Errors! ...
Disallow: /admin/ Disallow: /api/ Disallow: /callback/ Disallow: /common/ Disallow: /core/ Disallow: /install/ Disallow: /login/ Disallow: /manage/ Disallow: /public/ Disallow: /sdks/ Disallow: /...
(had to disallow the use of the mklink command as it is not stable) April 2011: - fixed default visibility switch - added generic response functions 1/5/10nm - minor bug fixes February 2011: - ...
响应式海运空运国际货运物 User-agent: * Disallow: /plus/ad_js.php Disallow: /plus/advancedsearch.php Disallow: /plus/car.php Disallow: /plus/carbuyaction.php Disallow: /plus/shops_...Disallow: /templets
Remove test database and access to it? [Y/n] y Reload privilege tables now? [Y/n] y 五、添加端口 在配置 MySQL 完成后,我们需要添加端口,以便远程连接 MySQL。我们可以使用以下命令添加端口: vi /etc/my...
`robots.txt` 文件的格式非常简单,主要包括两个关键字:`User-agent` 和 `Disallow`。 - **User-agent**: 指定该规则适用于哪个或哪些爬虫。例如,`User-agent: *` 表示对所有爬虫生效;`User-agent: baidu` 表示...
Remove test database and access to it? [Y/n] y # 刷新权限表 Reload privilege tables now? [Y/n] y ``` 根据提示完成上述步骤,可以确保数据库的安全性得到基本保障。 #### 第五步:关闭SELinux SELinux...
--no-cache disallow server-cached data. -E, --html-extension save HTML documents with `.html' extension. --ignore-length ignore `Content-Length' header field. --header=STRING insert STRING ...
* Disallow programs from running * Process logging * System responsiveness graph * Stand-alone core engine * Available in x86-32 and x86-64 builds * Much more... # Graphical Interface Features Easily...
- `Disallow: /admin/` 表示禁止访问 `/admin/` 目录及其子目录。 - `Disallow: /abc.html` 表示禁止访问 `abc.html` 这个具体文件。 - **Allow**:允许访问的路径。例如: - `Allow: /images/` 表示允许访问 `/...
eslint-plugin-disallow方法 ESLint插件,用于禁止指定方法 用法 此插件要求还安装ESLint。 在安装了ESLint和此插件的情况下,您将需要启用该插件并配置不允许使用的方法。 安装 如果尚未安装ESLint,请执行以下操作...
Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y ``` 完成这些步骤后,您的MariaDB数据库将更加安全。 ##### 5. 登录数据库 最后一步是使用root用户登录到MariaDB数据库。...