Installation and Upgrade > Installation and Configuration Guide > Advanced Configurations > Configuring Additional Directory Servers > Set Authentication in the MapCredentials.xml File
  
Set Authentication in the MapCredentials.xml File
The MapCredentials.xml file is used to specify the authentication access to specific Info*Engine adapters. If there are no entries in the MapCredentials.xml file for a particular adapter, then the default access to the corresponding directory is anonymous. In effect, this means that the Windchill administrator would probably not be able to read or modify the entries (create and update user information) in that directory.
If you are manually adding an enterprise directory and you do not want anonymous access, you must set the authentication access to the enterprise directory by adding the newly-created JNDI adapter, distinguished name, and password to an existing property in the MapCredentials.xml file. You can also change the distinguished name or password being used for authentication by changing existing property values.
Update the properties in the MapCredentials.xml file using the xconfmanager utility. Any changes made by directly editing the MapCredentials.xml file are overwritten by the xconfmanager utility. For more information on the xconfmanager utility, see About the xconfmanager Utility.
* 
The actual file that stores the property changes is the codebase/WEB-INF/mapCredentials.txt file. Changes to this file should only be made using the xconfmanager utility.
Perform the following steps to define access to the enterprise directory:
1. Determine the distinguished name and password to be used by the Windchill administrator to authenticate to the LDAP directory service.
The distinguished name and password you identify in this step are used in later steps of this procedure. The semicolon is a restricted character and cannot be used in Windchill administrator passwords.
2. If you want to allow Windchill to access group entries or modify group or user information, ensure that the distinguished name identified in Step 1 allows sufficient privileges to read/create/update/delete Windchill objects in the directory server.
* 
You can enable access using the windchill.config.readOnly and windchill.config.doesNotContainGroups properties described in the section Set Additional Properties of Create and Configure the JNDI Adapter.
To change the access control privileges set for a user who is defined in LDAP, you must use the directory server administrative tools.
3. Use the xconfmanager utility to modify the MapCredentials.xml file to include the distinguished name and password used by the Windchill administrator to access the directory server (property changes are stored in the codebase/WEB-INF/mapCredentials.txt file).
The property is formatted as follows:
mapcredentials.admin.adapters=<service_name>^<distinguished_name>^<password>
Where <distinguished_name> and <password> are the values identified in Step 1.
This is a multivalued property. You can use the xconfmanager --add option to add multiple adapter definitions. Use the xconfmanager --remove option to remove specific values.
For example, assume enterpriseAdapter is the name of the adapter that has been set up for accessing an enterprise LDAP directory server. In this scenario, the distinguished name values are cn=DistUser,o=myCompany and the password is password. The following command adds the authentication access that is required for the LDAP directory:
xconfmanager --add "mapcredentials.admin.adapters=
enterpriseAdapter^cn=DistUser,o=myCompany^password"
-t "codebase/WEB-INF/mapCredentials.txt" -p
Using the xconfmanager utility to set values for this property ensures that the passwords specified are encrypted. For details on encrypting system passwords, see Specialized Administration.
If you have made additional customizations to Windchill, you can also set additional authentication access through adapters that have been created for other activities in Windchill that require less access. In this case, use the following the property to add or modify the authentication access to the LDAP directory server identified in the adapter:
mapcredentials.nonprivileged.adapters=<service_name>^<distinguished_name>^
<password>
This specifies the distinguished name and password for a user who does not have Windchill administrative privileges, but still needs access to the established enterprise LDAP adapter.
For example, assume newAdapter is the name of the adapter that has been set up for accessing an enterprise LDAP directory server. In this scenario, the distinguished name values are cn=NonprivUser,o=myCompany and the password is password. The following command adds the authentication access that is required for the LDAP directory:
xconfmanager --add "mapcredentials.nonprivileged.adapters=
newAdapter^cn=NonprivUser,o=myCompany^password"
-t "codebase/WEB-INF/mapCredentials.txt" -p
* 
Ensure that the distinguished name you specify here allows sufficient privileges to read the Windchill objects in the directory server.
For additional credentials mapping information, see Credentials Mapping.