Active Directory Setup for

Windchill 9.1

Ajay Valvi
[email protected]

Document Properties
File Name

Status

261498586.doc

Released

Change History
Date

Author

Version

Change Reference

OCT/08/2009

Ajay Valvi

0.1

Draft

NOV/30/2009

Ajay Valvi

1.0

Released

Accepted By
Accepted By:

Approval Date

Hemant Shadra

NOV/30/2009

Comments

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 2 of 22

Table of Content
1.

Introduction-----------------------------------------------------------------4

2.

Assumptions-----------------------------------------------------------------4

3.

Understanding Windchill and LDAP Directory Service-------------4

4.

Enabling Active Directory Integration with Windchill--------------5

4.1. Required Inputs from Active Directory---------------------------------------------5

5.

Enabling Active Directory Integration during New Installation---7

5.1.2. Specifying user organization-----------------------------------------------------------9
5.1.3. Testing the configuration--------------------------------------------------------------10

6.

Enabling Active Directory Integration for Existing Windchill

Instance--------------------------------------------------------------------11
6.1. Connecting to Active Directory-----------------------------------------------------11
6.1.1. Updating EnterpriseLDAP Adapter to connect to Active Directory--------------11
6.1.2. Configuring Apache to connect to EnterpriseLDAP--------------------------------14
6.1.3. Setting authentication in MapCredentials.xml file--------------------------------14

6.2. Retargeting Users----------------------------------------------------------------------14

6.2.1. Retargeting procedure-----------------------------------------------------------------16

Appendix------------------------------------------------------------------------19
Sample Summary.htm File-------------------------------------------------------------------19
Sample app-Windchill-AuthProvider.xml file--------------------------------------------20
Sample mapCredentials.txt file-------------------------------------------------------------20
LDAP Browser login sequence---------------------------------------------------------------21

External References----------------------------------------------------------22

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 3 of 22

1. Introduction
The purpose of this document is to provide information to the consultant about the specific
configuration involved to set up an Active Directory Integration with Windchill 9.1.
Active directory can be integrated with a Windchill instance during a new installation or with an
existing Windchill Instance. When an existing instance of Windchill is integrated with an existing
instance of Active Directory, the users from Aphelion must be retargeted to the Active Directory
such that Windchill maintains to use the Active Directory references.
This document covers the following topics:

Enabling Active Directory Integration for a New Windchill Instance

Enabling Active Directory Integration for an Existing Windchill Instance

Retargeting Users

This document should be used as a reference for configuring Active Directory integration with
Windchill 9.1; however, it is imperative that the consultant refers to the Configuring Additional
Enterprise Directories section from the Windchill Installation and Configuration Guide - Advanced.
It is strongly recommended that any of these techniques be tested, repeatedly, in a controlled test
environment to insure that they are functioning as desired before executing them in a production.

2. Assumptions
This document introduces you to the required steps for configuring Active Directory integration with
Windchill 9.1.

This document assumes that the consultant has a good understanding of Windchill System
Administration and a basic understanding of LDAP structure and Active Directory.

It is strongly recommended that before performing any of the modifications to the Aphelion LDAP or
database, the consultant should contact tech support for more direct assistance and guidance in
their efforts with the LDAP.

3. Understanding Windchill and LDAP Directory Service

Windchill utilizes an LDAP directory service or multiple LDAP directory services for two purposes:

Provide user and group administration.

Store application-specific configuration information to Windchill.

PTC bundles an LDAP directory service with Windchill. The LDAP that is bundled can be leveraged
for both purposes or solely for managing the application-specific information. Windchill has no
specific limitation as to the number of LDAP instances that are integrated with Windchill for user
and group administration.
Note
Windchill 9.1 M030 introduces new LDAP Directory Server Option (Windchill DS powered by
OpenDS Technology), an alternative to Aphelion directory server. Windchill releases before 9.1
M030 used Aphelion as a part of the bundled LDAP directory service. The steps mentioned in this
document are applicable to all releases of Windchill 9.0 and 9.1

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 4 of 22

Various configurations have been utilized to satisfy a variety of customers requirements. One such
requirement is to integrate Windchill with an already existing Active Directory Server (ADS) for both
authentication and account management.
If the customer is already using Active Directory Server (ADS) as enterprise LDAP service,
Windchill can be integrated with ADS such that the user information is maintained in the existing
ADS directory. Windchill can query entries in ADS using a JNDI adapter.
An Active Directory integration with Windchill is a read-only configuration. Therefore, Windchill
cannot create, modify, or delete entries in an ADS directory. This means Windchill cannot be used
to administer user information in ADS (standard Microsoft administration tools must be used
instead). Windchill must have the ability to update group information and organization information;
therefore, these must be stored in Aphelion that provides full access to Windchill, not ADS. As a
result, in this scenario you would maintain two different LDAP directories, one to maintain groups
and the other for Users in support of Windchill.
When considering Active Directory integration with Windchill, it is implied that the Groups are
stored in Aphelion and Users are maintained in the Active Directory.
In PDMLINK 8.0, during the configuration a new custom adapter has to be created for LDAP
integration. But in PDMLINK 9.0 and later versions, we dont have to create any new adapter or
repository; we can use the existing adapter that is created OOTB (for example
com.example.EnterpriseLdap).
The EnterpriseLdap adapter is defined such that it enables a site to easily connect to an existing
Corporate LDAP to allow existing corporate users to be validated for Windchill use.
Active directory can be integrated with a Windchill instance during a new installation or to an
existing Windchill Instance. Both the methods have been explained later in this document.

4. Enabling Active Directory Integration with Windchill

While installing a new Windchill instance, the following three steps are required.

Connecting to Active Directory during installation

Specifying user organization (optional)

Editing JNDI entry to change search scope

4.1.

Required Inputs from Active Directory

Before starting with any installation or configuration activities, following is the minimum required
information that needs to be obtained to connect to an Active Directory.
Inputs from Active Directory

Enterprise Repository LDAP Server Host Name

Description

Host name to connect to the Microsoft Active Directory Service (ADS) Server

Example

seha074.ptcnet.ptc.com

Search Base or Base Distinguished Name for Enterprise Users

Description

The distinguished name of an LDAP subtree under which Enterprise LDAP entries reside.
Users and groups under this subtree will be visible to Windchill

Example

CN=Users,DC=example,DC=com

Enterprise Repository LDAP User Distinguished Name or Directory System Agent User
Description

The distinguished name of an existing ADS user

Example

CN= Bind User, CN=Users,DC=example,DC=com or user@domain

Enterprise Repository LDAP Password or Directory System Agent Credentials

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 5 of 22

Description

Enter the password of the specified user - <Password_for_Bind_User>

Enterprise Repository LDAP Server Port

Description

Port to bind to the Active Directory Server

Always use 3268 for the port when configuring Windchill with Active Directory, rather than
the default LDAP port (i.e. port 389). If you bind to port 389 (even if you bind to a Global
Catalog server) your search includes a single domain directory partition. If you bind to port
3268, your search includes all directory partitions in the forest. Subtree search seems to
work better with 3268.
Verify the port number with the Customers System Administrator

The following flowchart helps to visualize the steps involved in Active Directory Integration

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 6 of 22

5. Enabling Active Directory Integration during New

Installation
During installation, Active Directory specific information needs to be entered on various PSI pages.

5.1.1.1.

LDAP settings page

On the LDAP settings page, you must perform the following two settings:
1. Enter the Base Distinguished Name for Enterprise Users
o

You need to mention the distinguished name of the LDAP subtree, also called the search
base, in Active Directory where the users and groups reside.

For Example : CN=Users,DC=example,DC=com

You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in
different nodes. However, setting the Search Base to the root might result in poor performance.

Note
For more information refer to the 'Entering Your LDAP Settings' section in the Windchill Installation
and Configuration Guide Advanced. Windchill 9.1

2. Select the Enable Separate Enterprise LDAP Server check box to enable it
o

On selecting this check box, the next screen displays JNDI Adapter Settings page to specify
the settings for the separate LDAP server.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 7 of 22

Ensure the Enable Separate Enterprise LDAP Server check box is enabled else the next page
wont display the JNDI settings page.

5.1.1.2.

JNDI settings page

On the JNDI settings page, enter the following information:

1. Enter the fully qualified hostname of the Microsoft Active Directory Service (ADS) Server in the
Enterprise Repository LDAP Server Host Name text field.
3. Enter 3268 in the Enterprise Repository LDAP Server Port text field.
o

When configuring Windchill with Active Directory, always use 3268 for the port rather than the
default LDAP port (i.e. port 389).

4. Select the Bind as User radio button for LDAP Connection type.
5. Enter the distinguished name of an existing ADS user in the Enterprise Repository LDAP User
Distinguished Name text field.
o

For Example : CN= Bind User, CN=Users,DC=example,DC=com

6. Enter the password for the specified user in the Enterprise Repository LDAP Password text
field.
7. Select the Groups check box, and ensure that the Users check box is enabled as well.
8. Select the Active Directory Service (ADS) radio button as LDAP service.

5.1.1.3.

Core Product Settings page

On the Core Product Settings page, select the Administrative radio button option for Select the
Repository Where the Site Administrator is Stored setting. Since Windchill has Read Only access
to the Active Directory, the Windchill Administrator must be created in the Administrative LDAP.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 8 of 22

5.1.2.

Specifying user organization

In order to assign an initial organization name to a user, the EnterpriseLDAP Adapter must be
modified to include an additional property. Add the usersOrganizationName custom property to set
the initial organization name for all users accessed through the EnterpriseLDAP Adapter.

Navigate to Info*Engine Administrator page from Site > Utilities > Info*Engine
Administrator.

Log on by entering cn=Manager and the appropriate password.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 9 of 22

Select the JNDI adapter by the name com.<example>.EnterpriseLDAP to open the Property
Editor page.

Edit the Adapter to change the LDAP search scope and add an additional property
o

Select the drop down list for LDAP Search Scope and set it to SUBTREE.

Enter 'com.test.example.EnterpriseLdap.windchill.mapping.usersOrganizationName' in
the Property text field and '<OrganizationName>' in the Value text field and click the Add
button.This property associates an initial organization name to the user. Refer to the
"Setting the User Organization" section in the Windchill Installation and Configuration
Guide Advanced for more information about the need for setting this property

Click OK to complete the modification to the Adapter. Select OK again on the

confirmation window.

5.1.3.

Testing the configuration

Search and add Active Directory users and groups to various roles, such as Product Creators,
Members, Guests, etc., in test products and libraries.
Log on as new users and create products and documents to verify successful login and object
creation abilities.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 10 of 22

6. Enabling Active Directory Integration for Existing

Windchill Instance
For an existing instance of Windchill, two aspects should be considered while adding an additional
Enterprise Directory:

First is connecting to a Corporate LDAP like Active Directory to Windchill so that one can add
users and groups from Active Directory to Windchill.

Second is to be able to retarget the existing users from Aphelion to the Active Directory so
that next time the users login they are maintained and authenticated against the Active
Directory

Before starting with any configuration activity, it is necessary that one reads through the
Retargeting Users section. Though the retargeting users is done after making the configuration
changes to connect to Active Directory, it is important to understand and analyze the effort and
complexities involved before starting the configuration changes.

6.1.

Connecting to Active Directory

Connecting to Active Directory involves the following three steps:

Update EnterpriseLDAP Adapter to connect to Active Directory.

Configure Apache to connect to EnterpriseLDAP.

Set Authentication in MapCredentials.xml file.

6.1.1.

Updating EnterpriseLDAP Adapter to connect to Active Directory

Before you start updating the EnterpriseLDAP, collect the required information as mentioned in the
Required Inputs from Active Directory section
1. Navigate to the Info*Engine Administrator page from Site > Utilities > Info*Engine
Administrator.
2. Log on by entering cn=Manager and the appropriate password.
3. Select the JNDI adapter by the name com.<example>.EnterpriseLDAP to open the Property
Editor page.
4. Edit the following Adapter properties settings.
JNDI Adapter Property

Value

Service Name

com.example.EnterpriseLdap

Runtime Service Name

com.example.EnterpriseLdap

Service Class

com.infoengine.jndi.JNDIAdapterImpl

Host , Port

Leave it Blank

Provider Url

ldap://activedirectoryhost.example.com:3268

Directory System Agent User

CN=Bind User,CN=Users,DC=example,DC=com

Directory System Agent Credentials

<Password_for_Bind_User>

Search Base

CN=Users,DC=example,DC=com

You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes.
However, setting the Search Base to the root might result in poor performance.
LDAP Search Scope

SUBTREE

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 11 of 22

9. Add the following Adapter properties one by one in the Additional Properties section
Additional Properties

Value

com.test.example.EnterpriseLdap.windchill.config.doesNotContainGroups

true

com.test.example.EnterpriseLdap.windchill.config.directoryType

ADS

com.test.example.EnterpriseLdap.windchill.config.readOnly

true

com.test.example.EnterpriseLdap.windchill.mapping.group.description

description

*com.test.example.EnterpriseLdap.windchill.mapping.group.objectClass

group

*com.test.example.EnterpriseLdap.windchill.mapping.group.uniqueIdAttribute

**sAMAccountName

com.test.example.EnterpriseLdap.windchill.mapping.group.uniqueMember

member

*com.test.example.EnterpriseLdap.windchill.mapping.user.cn

cn

com.test.example.EnterpriseLdap.windchill.mapping.user.facsmileTelephoneNumber facsmileTelephoneNumber
*com.test.example.EnterpriseLdap.windchill.mapping.user.mail

mail

com.test.example.EnterpriseLdap.windchill.mapping.user.mobile

mobile

*com.test.example.EnterpriseLdap.windchill.mapping.user.o

company

*com.test.example.EnterpriseLdap.windchill.mapping.user.objectClass

user

com.test.example.EnterpriseLdap.windchill.mapping.user.postalAddress

postalAddress

com.test.example.EnterpriseLdap.windchill.mapping.user.preferredLanguage

preferredLanguage

com.test.example.EnterpriseLdap.windchill.mapping.user.sn

sn

com.test.example.EnterpriseLdap.windchill.mapping.user.telephoneNumber

telephoneNumber

*com.test.example.EnterpriseLdap.windchill.mapping.user.uid

**sAMAccountName

*com.test.example.EnterpriseLdap.windchill.mapping.user.uniqueIdAttribute

**sAMAccountName

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 12 of 22

com.test.example.EnterpriseLdap.windchill.mapping.user.userCertificate

userCertificate

*com.test.example.EnterpriseLdap.windchill.mapping.usersOrganizationName

<Windchill_Organization_Name>

The * marked properties are mandatory properties. The other properties may or may not be included.

**If you have an Active Directory forest then the sAMAccountName name might not be unique across different Active
Directory domains. In that case please use the userPrincipalName. The format of the userPrincipalName is
<sAMAccountName>@<the_domain_name> which guaranties userPrincipalName to be unique across all domains.

6.1.2.

Configuring Apache to connect to EnterpriseLDAP

Configure Apache Web Server such that it points to the Active Directory for authentication.

Execute the following command in a Windchill shell and from the Apache load point folder to
update the authentication properties:
CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 13 of 22

ant -f webAppConfig.xml addAuthProvider -DappName=<Windchill_app_name>

-DproviderName=EnterpriseLdap -DldapUrl=" ldap://
actdirhost.test.com:3268/OU=ptc,DC=actdirhost,DC=test,DC=com?sAMAccountName?sub?
(objectClass=*)" -DbindDn="CN=BindUser,CN=Users,DC=actdirhost,DC=test,DC=com"
-DbindPwd="<Password_for_Bind_User>"

Note
The Ant command must be entered in a single line though it appears to be multiline command

To verify if the Ant script has updated the changes appropriately, refer to the sample file of the appWindchill-AuthProvider.xml in the Appendix to compare with and verify after making the Apache
Configuration Changes.

6.1.3.

Setting authentication in MapCredentials.xml file

The MapCredentials.xml file is used to specify the authentication access to a specific Info*Engine
adapter. If no parameters are added to the MapCredentials file, the default access to the enterprise
directory is anonymous. To access ADS, a proper Bind user must be specified.
Add the following two properties to the site.xconf and propagate the changes using the Windchill
shell.
Additional properties
<AddToProperty name="mapcredentials.admin.adapters"
value="com.ptc.ptcnet.Ldap-Pending^cn=Manager^ldappasswd"/>
<AddToProperty name="mapcredentials.admin.adapters"
value="com.ptc.ptcnet.EnterpriseLdap^CN=BindUser,CN=Users,DC=example,DC=com^<
Password_for_Bind_User>"/>

There are chances that these properties already exist. Ensure that the values for these properties
include the Bind User path and password.
To verify if the properties have been propagated appropriately, compare with the sample
mapCredentials.txt file in the Appendix.

6.2.

Retargeting Users

For customers who wish to manage users in Active Directory, retargeting existing users in Aphelion
to Active directory is the most common method for moving users. Retargeting users involves
changing the Windchill reference to a user from Aphelion to the corporate Active Directory.
This is either done in an effort to utilize a single sign on method or to reduce the administrative
overhead of maintaining users in multiple LDAPs.
There are a couple of significant relationships that a user has inside of the data found within
Windchill. All data records in Windchill are related to a WTUser, which has a relationship to a
specific entry in the database that maintains the users DN (Distinguished Name) and LDAP
adapter.
The DN of the user is also referenced in a multitude of Groups that are also found in the LDAP.
Moving users from Aphelion to an Active Directory will not include moving the Groups to the
corporate LDAP simply based on the volume of the groups that Windchill can create and their
relative insignificance to the entire organization. However, it is possible to select and add groups
managed in Active Directory in Windchill.
Retargeting users essentially involves changing the references of users in Windchill to the newly
connected Active Directory instead of Aphelion with the following condition:

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 14 of 22

The users in Aphelion already exist in Active Directory.

o If the users exist in Active Directory, they must have the same UID.

To retarget users, the above condition must be satisfied.

Out-of-the-box ADS does not have a uid attribute for user objects. Instead there are two attributes
that contain the user id (uid) information. The first is sAMAccountName, which is the uid itself. The
second is userPrincipalName, which is the uid with the domain appended (for example
[email protected]). In Aphelion or WindchillDS the UID corresponds to the username.
Before retargeting users to the corporate Active Directory, a few pre-migration steps need to be
performed to ensure that the data to which Windchill expects to have access to is readily available.
A detailed analysis of both the LDAPs must be done to find out any mismatch.

Do all of the users exist in the corporate LDAP?

o If some of them do not exist, create users in the Corporate Active directory.
o In some cases, most users may no longer be employed, which means such users do not

need to be retargeted.

Is the UID of the user in the corporate LDAP equivalent to the ID stored within Aphelion?
o If the ID is not the same, rename the user in Aphelion to match the entry in the Active

Directory LDAP first

Does the corporate LDAP use the same attributes as Aphelion?

o If not, the attributes must be mapped appropriately. This means when you configure the

JNDI adapter you must provide additional attribute-mapping properties to map the default
Windchill user and group attributes to the corresponding user and group and group
attributes used by your LDAP directory. Refer to the 'Mapping User and Group and Group
LDAP Values in an Existing Directory' section in the 'Windchill Installation and
Configuration Guide Advanced'.

Is the DN structure of the corporate LDAP such that you need multiple search base DNs to
search for all required users?
o It is possible that the customer may provide with multiple search base DNs for users within

its Active Directory. If the corporate LDAP is structured such that it has multiple DNs for
various users, a unique JNDI adapter will be required for each DN node. Refer to the
'Create JNDI Adapter Entry' and 'Create Repository Definition' sections to add additional
adapter in the 'Windchill Installation and Configuration Guide Advanced'

Are suppliers and external IDs stored in Aphelion?

o Investigate how suppliers are handled in the corporate LDAP. It is possible that suppliers

or external users are stored in a different LDAP server or may be a separate forest is
created for them. In such a case you may have to create a separate JNDI Adapter in order
to search for those users or you could still maintain them in the Aphelion or Windchill DS.
This document does not provide methods to troubleshoot or correct any discrepancies in the data if
the UIDs do not match. It is strongly recommended that before performing any of the modifications
to the Aphelion LDAP or database, the consultant should contact Technical support for more direct
assistance and guidance in their efforts with the LDAP.

6.2.1.

Retargeting procedure

This procedure involves disconnecting the user in Windchill by deleting it from Aphelion and then
connecting the disconnected user to the user in Active Directory. Another method is to replace the
DN info within the database with a new DN such that it points to Active Directory.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 15 of 22

Before starting with the retargeting procedure:

Remember that the Administrator (wcadmin) user always stays in Aphelion.

Take Aphelion and Database backups to restore to the original state if necessary.

Ensure that no users are accessing Windchill during the retargeting procedure.

Ensure users being retargeted exist in Active Directory and have the same UID as in
Aphelion.

The following steps list down the method to retarget a Windchill User pat2. A similar method
should be used to retarget users either one by one or all at a time.

6.2.1.1.

Listing the entries in the database

Open Windchill Shell, navigate to <WT_HOME>/db/sql, and log onto sqlplus as a database user.

sqlplus <dbuser>/<dbpasswd>@<Windchill_db_name>

Note
The dbuser, dbpasswd and Windchill_db_name values can be found in the
<WT_Home>\db\db.properties wt.pom.dbUser, wt.pom.dbPassword & wt.pom.jdbc.service

Enter the following query to review the remoteobjectid values and review the returned results.

select remoteobjectid from remoteobjectid;

6.2.1.2.

Delete user from Aphelion or Windchill DS

Browse through the LDAPBrowser to locate and delete the required user to be retargeted.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 16 of 22

6.2.1.3.

Replace user from the Principal Administrator page

Once the user has been deleted from the Aphelion, it becomes a disconnected principal in
Windchill. This user must be retargeted to the user in Active Directory.

Navigate to the Site > Utilities page and click the Principal Administrators link to open the
Principal Administrators page.

Click the Maintenance link to open the Disconnected Principals table.

Click the Search for Disconnected Principals icon.

The Find All Disconnected Principals page lists the deleted user.

Select the user and click OK.

Click the Edit Principal button to edit the disconnected principal address.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 17 of 22

Search for the user by entering the username of the deleted user and clicking Search on the
Associate New User with Disconnected User page

The search returns the same user from Active Directory. Select the radio button against the
user and click OK.

On selecting OK, the user is removed from the Disconnected Principals table. The user is
now retargeted. Verify this by running the SQL query select remoteobjectid from
remoteobjectid; again. The results should show the new DN value.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 18 of 22

Appendix
Sample Summary.htm File
Here is a sample file of the Summary.htm file extract for New Windchill Installation to compare with.

LDAP Settings
LDAP Server DNS Registered Host Name:
windchillhost.example.test.com
LDAP Port Number:
389
Administrator Distinguished Name:
cn=Manager
Administrator Password:
**********
Confirm Administrator Password:
**********
Base Distinguished Name for Product Properties:
cn=configuration,cn=Windchill_9.1,o=adplm
Base Distinguished Name for Administrative Users:
ou=people,cn=AdministrativeLdap, cn=Windchill_9.1,o=adplm
Base Distinguished Name for Enterprise Users:
CN=Users,DC=windchillhost,DC=example,DC=test,DC=com
Enable Separate Enterprise LDAP Server
Yes

JNDI Adapter Settings

Enterprise Repository LDAP Server Host Name:
actdirhost.test.com
Enterprise Repository LDAP Server Port:
3268
Enterprise Adapter Name
com.test.example.EnterpriseLdap
LDAP Connection
Bind as User
Enterprise Repository LDAP User Distinguished Name:
CN=Bind User,CN=Users,DC=actdirhost,DC=test,DC=com
Enterprise Repository LDAP Password:
<Bind User Password>
Windchill Privileges for Repository
Read Only
LDAP Service
Active Directory Service (ADS)
Repository Contains
Users
Groups
User Filter:
CN=*
Group Filter:
CN=*

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 19 of 22

Core Product Settings

Windchill Site Administrator:
Create New
Windchill Site Administrator User Name
wcadmin
Windchill Site Administrator Password:
********
Confirm Windchill Site Administrator Password:
********
Select the Repository Where the Site Administrator is Stored:
Administrative
Web Application Context Root:
Windchill
Info*Engine Server Task Processor Port Number:
10002
Initial Organization Name:
adplm
Organization Internet Domain Name:
example.test.com

Sample app-Windchill-AuthProvider.xml file

Here is a sample of the app-Windchill-AuthProvider.xml file to compare with after making the
Apache Configuration Changes.
Alternatively, you can accomplish the Apache Configuration by editing the
"<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml and propagating the changes as
shown below:
app-Windchill-AuthProvider.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--Web App Auth Providers List-->
<providers enableNTLM="false">
<provider>
<name>Windchill-AdministrativeLdap</name>
<ldapUrl>ldap://windchillhost.example.test.com:389/ou=people,cn=AdministrativeLdap,cn=Windchill_9.
1,o=ptc</ldapUrl>
<bindDn>cn=Manager</bindDn>
<bindPwd><Aphelion ldap Password></bindPwd>
</provider>
<provider>
<name>Windchill-EnterpriseLdap</name>
<ldapUrl>ldap:// actdirhost.test.com:3268/OU=ptc,DC=actdirhost,DC=test,DC=com?
sAMAccountName?sub?(objectClass=*)</ldapUrl>
<bindDn>CN= Bind User,CN=Users, DC=actdirhost,DC=test,DC=com</bindDn>
<bindPwd><BindUserPassword></bindPwd>
</provider>
</providers>
To propagate these properties into .conf files, execute the following command in a Windchill shell and
from the Apache load point folder:
ant -f webAppConfig.xml regenWebAppConf

Sample mapCredentials.txt file

Here is a sample of the <WindchillHome>\codebase\WEB-INF\mapCredentials.txt file to compare
with after adding to the mapcredentials.admin.adapters property.

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 20 of 22

mapCredentials.txt
mapcredentials.admin.adapters=com.test.example.Ldap^cn\=Manager^<AphelionldapPassword>;com.test.ex
ample.Ldap-Pending^cn\=Manager^<AphelionldapPassword>;com.test.example.EnterpriseLdap^
CN=BindUser,CN=Users, DC=actdirhost,DC=test,DC=com ^<BindUserPassword>
mapcredentials.admin.default.ldap=$(wt.rmi.server.hostname)$(credentials.fieldsep)$(ie.ldap.managerDn)$
(credentials.fieldsep)$(ie.ldap.managerPw)
mapcredentials.admin.pendinguser.ldap=$(wt.rmi.server.hostname)$(credentials.fieldsep)$
(ie.ldap.managerDn)$(credentials.fieldsep)$(ie.ldap.managerPw)
mapcredentials.nonprivileged.adapters=

LDAP Browser login sequence

The Image below shows the sequence to log onto Aphelion LDAP Browser.
Connecting to LDAP using a valid LDAP User (cn=Manager) allows deleting or modifying access.

Select browser > Select Edit > Uncheck Anonymous bind checkbox > Enter Password > Select Save > Select Connect
For starting up WindchillDS browser or the control panel double click the control-panel.bat located at
<WindchillDS_Loadpoint>\server\bat folder

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 21 of 22

External References
Reference

Description

Configuring Additional Enterprise

Directories

Windchill Installation and Configuration Guide Advanced

Windchill 9.1

TANTANs and TPITPIs

135027 , 126775, 124774, 137040, 133029, 139095, 137919,

134754,124667

White Paper Windchill LDAP

Authored by Steve Dertien
Integration, Migration and Common
Challenges

CONFIDENTIAL - PTC PROPRIETARY

261498586.doc

Last printed Jul/01/2009

Page 22 of 22