- 浏览: 117598 次
- 性别:
- 来自: 武汉
最新评论
说明
This article describes how to configure Windchill with Active Directory. Please see "Additional Information" section for detailed instruction.
附加信息
Create a JNDI adapter using the Info*Engine administrator. A typical name is <domainname_ reversed>.EnterpriseLdap i.e. com.example.EnterpriseLdap.
Almost always you would want to use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389).
If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition.
If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.
The following Microsoft TechNet article explains how global catalog works:
http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true
There can be other serious issues if Windchill is configured with Active Directory using the default 389 port.
Please see TPI 132744 (https://www.ptc.com/appserver/cs/view/solution.jsp?n=132744 ) for details.
A typical configuration would be like:
Append the JNDI adapter name to "wt.federation.org.directoryServices" property. For example:
Now create a "Repository" using the Task Delegate Administrator:
. Open "Task Delegate Administrator" by going to "Site>Utilities>Info*Engine Administrator>Task Delegate Administrator" and click "Manage Repository".
. The repository name must be the adapter name backwards. For example:
A quick test at this time is to restart Windchill and to open the Principal Administrator. A search for users for example displays ADS users, if the setup is correct.
If you use Apache as the Web Server then you have to configure its authentication properties to point to Active Directory.
For Apache 2.0.XX edit <Apache_Load_Point>/conf/app-<replace_your_app_name>.properties file (ie: "<Apache_Load_Point>/conf/app-Windchill.properties") like the following way:
(Be sure to escape with backslash "\" all colons ":" and equal signs "=")
For Apache 2.2.XX edit <Apache_Load_Point>/conf/extra/app-<replace_your_app_name>-AuthProvider.xml (ie: "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml") like the following way:
Apache 2.0.XX can only bind to one LDAP server. So once you configure Apache with Active Directory then the users created earlier (i.e. the Site Admin a.k.a "wcadmin") will not be able to login to Windchill. This issue can be addressed by enabling Apache's "password" file.
Execute the following command in a Windchill shell and from the Apache load point folder to enable Apache's "password" file:
NOTE:
1. You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result poor performance.
2. If you have an Active Directory forest then the "sAMAccountName" name might not be unique across different Active Directory domains.
In that case please use the "userPrincipalName". The format of the "userPrincipalName" is <sAMAccountName>@<the_domain_name> which guaranties "userPrincipalName" to be unique across different domains.
Almost always you would want to use 3268 for the port when configuring Windchill with Active Directory, rather than the default LDAP port (i.e. port 389).
If you bind to port 389 (even if you bind to a Global Catalog server) your search includes a single domain directory partition.
If you bind to port 3268, your search includes all directory partitions in the forest. Subtree search seems to work better with 3268.
The following Microsoft TechNet article explains how global catalog works:
http://technet2.microsoft.com/WindowsServer/en/library/440e44ab-ea05-4bd8-a68c-12cf8fb1af501033.mspx?mfr=true
There can be other serious issues if Windchill is configured with Active Directory using the default 389 port.
Please see TPI 132744 (https://www.ptc.com/appserver/cs/view/solution.jsp?n=132744 ) for details.
A typical configuration would be like:
Service Name: com.example.EnterpriseLdap Runtime Service Name: com.example.EnterpriseLdap Service Class: com.infoengine.jndi.JNDIAdapterImpl Host: (leave it blank) Port: (leave it blank) Provider Url: ldap://activedirectoryhost.example.com:3268 Directory System Agent User: CN=Bind User,CN=Users,DC=example,DC=com Directory System Agent Credentials: <Password_for_Bind_User> Search Base: CN=Users,DC=example,DC=com <Please see NOTE 1 for more information> LDAP Search Scope: SUBTREEAdditional Properties:
com.example.EnterpriseLdap.windchill.mapping.user.objectClass:user com.example.EnterpriseLdap.windchill.mapping.usersOrganizationName:<Windchill_Organization_Name> <This property works on M030 and up> com.example.EnterpriseLdap.windchill.mapping.user.uid:sAMAccountName <Please see NOTE 2 for more information> com.example.EnterpriseLdap.windchill.mapping.user.uniqueIdAttribute:sAMAccountName <Please see NOTE 2 for more information>
Append the JNDI adapter name to "wt.federation.org.directoryServices" property. For example:
wt.federation.org.directoryServices=$(wt.federation.org.defaultAdapter),com.example.EnterpriseLdapPlease make sure that all adapters are spearated by comma only, there should not be included space or tabs characters.
Now create a "Repository" using the Task Delegate Administrator:
. Open "Task Delegate Administrator" by going to "Site>Utilities>Info*Engine Administrator>Task Delegate Administrator" and click "Manage Repository".
. The repository name must be the adapter name backwards. For example:
EnterpriseLdap.example.com. The repository type must be
com.ptc.windchill-ldap. The repository Webject and Task Processors should be the same as the out of the box LDAP adapter's (the one for Aphelion). For example:
Webject Processor: com.example.<Windchill_Host_Name>.Windchill Task Processor: com.example.<Windchill_Host_Name>.Windchill
A quick test at this time is to restart Windchill and to open the Principal Administrator. A search for users for example displays ADS users, if the setup is correct.
If you use Apache as the Web Server then you have to configure its authentication properties to point to Active Directory.
For Apache 2.0.XX edit <Apache_Load_Point>/conf/app-<replace_your_app_name>.properties file (ie: "<Apache_Load_Point>/conf/app-Windchill.properties") like the following way:
(Be sure to escape with backslash "\" all colons ":" and equal signs "=")
apacheWebApp.ldapUrl=ldap\://activedirectoryhost.example.com\:3268/DC\=example,DC\=com?sAMAccountName?sub?(objectClass\=*) <Please see NOTE 2 for more information> apacheWebApp.bindDn=CN\=Administrator,CN\=Users,DC\=example,DC\=com apacheWebApp.bindPwd=<password_for_Administrator> apacheWebApp.anonBind=false
For Apache 2.2.XX edit <Apache_Load_Point>/conf/extra/app-<replace_your_app_name>-AuthProvider.xml (ie: "<Apache_Load_Point>/conf/extra/app-Windchill-AuthProvider.xml") like the following way:
<?xml version="1.0" encoding="UTF-8"?> <!--Web App Auth Providers List--> <providers enableNTLM="false"> <provider> <name>Windchill-ldap</name> <ldapUrl>ldap://windchillhost.example.com/ou=people,cn=Windchill,cn=Application%20Services,o=example</ldapUrl> </provider> <provider> <name>Windchill-EnterpriseLdap</name> <ldapUrl>ldap://activedirectoryhost.example.com:3268/CN=Users,DC=example,DC=com?sAMAccountName?sub?(objectClass=*)</ldapUrl> <bindDn>CN=Bind User,CN=Users,DC=example,DC=com</bindDn> <bindPwd><Password_for_Bind_User></bindPwd> </provider> </providers>To propagate these properties into .conf files, execute the following command in a Windchill shell and from the Apache load point folder:
ant -f webAppConfig.xml regenWebAppConf
Apache 2.0.XX can only bind to one LDAP server. So once you configure Apache with Active Directory then the users created earlier (i.e. the Site Admin a.k.a "wcadmin") will not be able to login to Windchill. This issue can be addressed by enabling Apache's "password" file.
Execute the following command in a Windchill shell and from the Apache load point folder to enable Apache's "password" file:
ant -f webAppConfig.xml regenWebAppConf -DappName=<WebApp_Name> -DpwdFileEnabled=true -DpwdFilename=<Name_of_the_password_file>After enabling the password file, execute the following command from the <Apache_Load_Point>/bin folder to add a user to the password file:
htpasswd <Path_to_the_password_file> wcadmin
NOTE:
1. You can set the Search Base to the root (i.e. "DC=example,DC=com") if you have users in different nodes. However, setting the Search Base to the root might result poor performance.
2. If you have an Active Directory forest then the "sAMAccountName" name might not be unique across different Active Directory domains.
In that case please use the "userPrincipalName". The format of the "userPrincipalName" is <sAMAccountName>@<the_domain_name> which guaranties "userPrincipalName" to be unique across different domains.
发表评论
-
How to deactivate a user in Windchill?
2012-10-17 22:09 965Introduction Procedure base ... -
How to shorten display time for the inline message in Windchill 10.0
2012-09-03 00:24 1165标题 How to shorten display ... -
How to perform SaveAs on WTPart using API in Windchill PDMLink 10.0
2012-04-05 18:38 1525标题 How to perform SaveAs ... -
Manual Installation Steps For Archive Client Installation on Red Hat Linux 4.0
2012-03-31 19:18 966On Red hat Linus 4.0 (64-Bit), ... -
Windchill单点登录方案
2012-03-31 00:20 2996Windchill SSO 单点登录 可下载附件查看。 ... -
如何在Windchill PDMLink 9.1设定多个Background Method Server去执行特定的工作流
2012-03-31 00:17 2649标题 如何在Windchill PDMLink 9.1 ... -
通过IE8访问Windchill PDMLink 10.0,出现警告提示"Windchill 只支持标准模式下的浏览器".
2012-03-31 00:15 3029标题 通过IE8访问Windchill PDMLink ... -
JSP Authentication with the Method Server
2012-02-07 20:31 3051During development for a cus ... -
Solution for searching the latest revision object
2012-02-01 11:44 1001// Implement your query ... -
Solution for search object with IBA Attribute
2012-02-01 11:39 1460QuerySpec qs = new Quer ... -
Required Ports for Windchill
2011-10-29 18:53 1043Windchill utilizes multiple por ... -
[WIP] How to see the document creator full name instead of the login name in DTI
2011-09-07 14:23 843标题 [WIP] How to see the doc ... -
Windchill Project Daily Build
2011-08-26 22:54 676下载软件: ant svnant sliksvn htt ... -
How to set schedule for Synchronization from Replica to Master?
2011-08-23 10:17 1063To do this, please follow these ... -
copy user from team administrator to workflow team.
2011-07-16 12:14 1633The code can be used directly i ... -
How to Disallow Anonymous Access to Aphelion LDAP?
2011-06-12 17:34 1639Description This TPI add ... -
MethodServer Exits Prematurely With the Error *com.ptc.windchill.upgrade.history
2011-06-11 23:39 2887Description ---------------- ... -
从Aphelion迁移至WindchillDS
2011-06-11 23:00 914假设: 1. Aphelion ... -
Taking the Windchill System Offline
2011-06-09 22:20 1174Description This documen ... -
浅谈基于Info*Engine的Windchill系统集成应用
2011-06-09 21:04 3474...
相关推荐
how to configure kernelhow to configure kernel
How to Configure User Status in mySAP SRM.pdf
How to Configure NLB MP in mix and native mode
This article introduces how to configure ODBC DSN in Server to access local DB2 for windows in detail. Then I give a sample how to access local DB2 database with ODBC by DB Query Analyzer expediently.
How to configure an Anybus PROFIBUS Slave module with a Siemens Step7 PLC Below you find an overview of the system configuration that is escribed in this document. In this case the Anybus Slave ...
Then I give a sample how to access remote DB2 database with ODBC by DB Query Analyzer expediently. It’s also applicable to configure ODBC DSN to access remote DB2 for other OS such as Aix, Linux, ...
How to configure OneFS to allow NFS mounts from unprivileged ports
HOWTO Configure DCOM Timeouts如何配置DCOM的超时设定(13KB)
How to Configure the Universal Worklist (NW2004)[1].pdf
How to Configure Odoo 13 on Pycharm Ubuntu 18 ubuntu18下安装ODOO13 pycharm配置ODOO13开发环境
在Ubuntu18.04中安装NFS服务器以及配置NFS 客户端,详细安装步骤过程,简单实用,一学就会
HowTo_Configure_IE
In addition, you will learn to work with Group Policy to deploy software and configure a computer or user environment. Finally, you will learn troubleshooting techniques that are valuable to the ...
KBA_180523214236_2__PMIC__PMI632_How_to_configure_.pdf
This is the python code for connecting to microsoft active directory. The user has to manully configure the AD Server details before placing these python files in server.
Next, the reader will learn the steps that must be taken to configure their servers and workstations to make the compatible with WSUS. A special section then follows to help readers migrate from ...
简单使用示例 # Configure the AD Providerprovider " activedirectory " { host = " ad.example.org " domain = " example.org " use_tls = false user = " admin " password = " password "}# Add computer to ...
You will then learn how to configure and maintain your database with the help of real-world examples. Getting Started with MariaDB literally starts at square one by walking you through the basics of...
System Configuration covers system-wide settings for the global memory pool, tick frequency, ISR...Event Recorder Configuration provides several parameters to configure RTX for usage with Event Recorder.
是一个利用ARM配置FPGA的方法,包括从串模式,和从并模式