Installation and Upgrade > Installation and Configuration Guide > Advanced Configurations > Configuring Additional Enterprise Directories > User and Group LDAP Attribute Value Mapping > Microsoft Active Directory Attribute Mapping for User and Group Objects
  
Microsoft Active Directory Attribute Mapping for User and Group Objects
To enable Windchill to work with Microsoft Active Directory user objects, the following attribute-mapping properties must be set for user objects on the JNDI adapter definition:
mapping.user.objectClass=user
mapping.user.o=company
mapping.user.uid=sAMAccountName
mapping.user.uniqueIdAttribute=sAMAccountName
* 
The mapping values represents the attribute that gets mapped to the map identifier. For instance, the map identifier o is mapped to the attribute company.
* 
The uid is assumed to be unique since it is the user ID that is used to log on to the web server, therefore, the value specified for mapping.user.uniqueIdAttribute should always be the same value specified for mapping.user.uid.
* 
Different ActiveDirectory configurations, such as ADAM, do not automatically index attributes. If no index is created there is the possibility that performance may be affected. To reduce this possibility ensure that an index is created for the attribute that is mapped to mapping.user.uniqueIdAttribute.
The following attribute-mapping values are based on an out-of-the-box installation of a Microsoft Active Directory. The actual values you assign to these attribute-mapping properties might vary depending on your Microsoft Active Directory installation:
<service_name>.windchill.mapping.user.postalAddress=postalAddress
<service_name>.windchill.mapping.group.objectClass=group
<service_name>.windchill.mapping.user.uid=sAMAccountName
<service_name>.windchill.mapping.user.cn=cn
<service_name>.windchill.mapping.user.preferredLanguage=preferredLanguage
<service_name>.windchill.mapping.group.uniqueMember=member
<service_name>.windchill.mapping.user.mobile=mobile
<service_name>.windchill.mapping.group.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.group.description=description
<service_name>.windchill.mapping.user.mail=mail
<service_name>.windchill.mapping.user.facsimileTelephoneNumber=facsimileTelephoneNumber
<service_name>.windchill.mapping.user.sn=sn
<service_name>.windchill.mapping.user.objectClass=user
<service_name>.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.user.userCertificate=userCertificate
<service_name>.windchill.mapping.user.o=company
The following properties are optional Microsoft Active Directory attribute mappings:
<service_name>.windchill.mapping.user.preferredLanguage=localeID
<service_name>.windchill.mapping.user.labeledURI=wWWHomePage
The following tables list the default attributes for Microsoft Active Directory user objects as compared to Windchill values:
Windchill and Microsoft Active Directory User Object Class
Windchill Default LDAP User Object Class
Microsoft Active Directory User Object Class
inetOrgPerson
user
* 
Some mapping values for Microsoft Active Directory might vary depending on the Active Directory schema in use, which varies based on the release level of Windows being used.
Windchill and Microsoft Active Directory User Attributes
Windchill Default LDAP User Attribute
Microsoft Active Directory User Attribute
cn
cn
mail
mail
postalAddress
Out-of-the-box postalAddress is supported for the Microsoft Active Directory user object class, however Microsoft Active Directory does not set postalAddress. Instead, it uses several individual attributes: street address, location, postal code, and country.
* 
If the value specified for this attribute contains $ character and the property <jndiAdapterName>.<webAppName>.config.directoryType is set to ADS, then the $ character will be replaced by a new line. For more information about configuring this property, see JNDI Adapter Properties.
To enable Windchill to see a postalAddress value, do one of the following: 1) all address information has to be assigned to the user object’s postalAddress attribute, or 2) another attribute can be used to consolidate all of the address information and then that attribute can be mapped to postalAddress on the JNDI adapter definition.
preferredLanguage
Out-of-the-box Microsoft Active Directory does not have a preferredLanguage attribute for user objects. Windchill will not see a preferredLanguage value unless your Microsoft Active Directory installation is configured to set one of the user object’s attributes to a preferred language value and then that attribute is mapped to preferredLanguage on the JNDI adapter definition.
sn
sn
uid
An out-of-the-box Microsoft Active Directory does not have a uid attribute for user objects. Instead there are two attributes that contain the user ID (uid) information:
The first is sAMAccountName, which is the user ID itself.
The second is userPrincipalName, which is the user ID with the domain appended (for example, user@myco.com).
To enable Windchill to see a uid value, one of these attributes has to be mapped to uid on the JNDI adapter definition. Use the attribute that corresponds to the user ID format that is passed along by your web server.
userPassword
Out-of-the-box userPassword is supported for the Microsoft Active Directory user object class, but the Microsoft Active Directory does not set userPassword.
Windchill will not see a userPassword value unless your Microsoft Active Directory installation sets it (or sets another attribute that you map to userPassword on the JNDI adapter definition).
userCertificate
userCertificate
o
The Microsoft Active Directory schema supports o as an optional attribute for the user object class. However, o typically might not be set by the Active Directory. Therefore, by default, Windchill maps o to company. You can change this mapping if necessary.
telephoneNumber
telephoneNumber
facsimileTelephoneNumber
facsimileTelephoneNumber
mobile
mobile
labeledURI
Out-of-the-box Microsoft Active Directory does not have a labeledURI attribute for user objects. Instead there is the wWWHomePage attribute that contains the same information. To enable Windchill to see a labeledURI value, wWWHomePage can be mapped to labeledURI on the JNDI adapter definition.
Microsoft Active Directory Group Object LDAP Attributes
Windchill Default LDAP Group Object Class
Microsoft Active Directory Group Object Class
groupofUniqueNames
group
Windchill and Microsoft Active Directory Group Attributes
Windchill Default LDAP Group Attribute
Microsoft Active Directory Group Attribute
cn
cn
description
description
uniqueMember
The out-of-the-box Microsoft Active Directory does not have a uniqueMember attribute for group objects. Instead there is the member attribute. To enable Windchill to see Microsoft Active Directory group members, map the member attribute to uniqueMember on the JNDI adapter definition.
To enable Windchill to work with Microsoft Active Directory group objects and group members, the following attribute-mapping properties must be set for group objects on the JNDI adapter definition:
mapping.group.cn=cn
mapping.group.objectClass=group
mapping.group.uniqueMember=member