User and Group LDAP Attribute Value Mapping
Windchill uses a subset of user and group LDAP attributes that are defined in a LDAP V3 compliant schema. Your directory might not use the exact directory attributes for user and group entries that Windchill expects by default.
When using an enterprise directory for users or groups, you might need to modify which attributes are used in the directory or modify which LDAP object classes define users and groups. This means that when you configure the JNDI adapter you must provide additional attribute-mapping properties to map the default Windchill user and group attributes to the corresponding user and group attributes used by your LDAP directory.
You can map property attributes using the Additional Properties section of the LDAP entry form:
The value you enter is saved in the named JNDI configuration property. After the properties are reloaded, they are then used by the directory service.
When mapping property attributes in the JNDI adapter, the following formats are used to specify the user, group, and organization attribute properties:
Principal
Property Format
User
<service_name>.windchill.mapping.user.<map_identifier>
Group
<service_name>.windchill.mapping.group.<map_identifier>
Organization
<service_name>.windchill.mapping.org.<map_identifier>
where:
<service_name> is the service name specified for the adapter (the Service Name field in the LDAP property form)
<map_identifier> is the attribute or value that you want to map
The following scenario illustrates how you might set the object class for users:
You have assigned the JNDI adapter a service name of EnterpriseDirectory1.
In Windchill, the map identifier when setting the object class property is objectClass.
You are mapping this property for users, therefore specify the format windchill.mapping.user.
The default object class value in Windchill is “inetOrgPerson,” but you want to set the value to “organizationalPerson.”
To set this property, you would complete the following actions under the Additional Properties section of the LDAP entry form:
1. In the Property field enter:
EnterpriseDirectory1.windchill.mapping.user.objectClass
2. In the Value field, enter:
organizationalPerson
3. Click Add.
Default User and Group LDAP Attribute Values
The following sections list the default group LDAP object class and attributes used by Windchill and the corresponding object class and attributes used for group objects in other LDAP directories. For Microsoft Active Directory-specific values, see the section Microsoft Active Directory Attribute Mapping for User and Group Objects.
User Object LDAP Attribute Values
The default value in Windchill assigned to the LDAP user object class:
Windchill User Object Class
<map_identifier>
Description
LDAP Object Class Default Value
objectClass
Specifies the LDAP object class value that defines users in the directory service.
inetOrgPerson
The following table lists the default LDAP values for user objects recognized by Windchill. If necessary, use the <map_identifier> to change the corresponding default attribute value for your LDAP directory:
Windchill LDAP User Attributes
<map_identifier>
Description
Default Value
cn
Identifies the attribute that holds the full name (“common name”) of a user in the directory service
cn
certificateType
Specifies the type of user certificates that are registered in the directory service.
X.509
mail
Identifies the attribute that holds the email address of a user in the directory service.
mail
postalAddress
Identifies the attribute that holds the postal address of a user in the directory service.
postalAddress
preferredLanguage
Identifies the attribute that holds the preferred language of a user in the directory service.
preferredLanguage
sn
Identifies the attribute that holds the surname of a user in the directory service.
sn
o
Identifies the attribute that holds the organization to which a user in the directory service belongs.
You can also set the user initial organization name using the usersOrganizationName. For more information, see the section Set Additional Properties in Create and Configure the JNDI Adapter.
o
uid
Identifies the attribute that holds the user ID (usually used as login ID) of a user in the directory service.
uid
uniqueIdAttribute
Identifies the attribute that uniquely identifies a user in the directory service.
uid
userCertificate
Identifies the attribute that provides the user certificate of a user in the directory service.
userCertificate
telephoneNumber
Identifies the attribute that holds the primary telephone number of the user.
telephoneNumber
mobile
Identifies the attribute that holds the cell phone number of the user.
mobile
facsimileTelephoneNumber
Identifies the attribute that holds the fax number of the user.
facsimileTelephoneNumber
labledURI
Identifies the attribute that holds the URL of the website of the user.
labledURI
Group Object LDAP Attribute Values
The default value in Windchill assigned to the LDAP group object class:
Windchill Group Object Class
<map_identifier>
Description
Default LDAP Object Class
objectClass
Specifies the LDAP object class value that defines groups in the directory service.
groupOfUniqueNames
The following table lists the default LDAP values for group objects recognized by Windchill. If necessary, use the <map_identifier> to change the corresponding default attribute value for your LDAP directory:
Windchill LDAP Group Attributes
<map_identifier>
Description
Default Value
cn
Identifies the attribute that holds the names of groups in the directory service.
cn
description
Identifies the attribute that holds the descriptive text about groups in the directory service.
description
filter
Specifies an additional expression that is be added to all LDAP search filters used in querying groups that use this JNDI adapter. By default, no additional expression is added. Example: (ou=Engineering)
You can also set the filter using the existing JNDI searchFilter property.
uniqueIdAttribute
Identifies the attribute that holds the unique names of groups in the directory service.
cn
uniqueMember
Identifies the attribute that defines members of groups in the directory service.
uniqueMember
Microsoft Active Directory Attribute Mapping for User and Group Objects
To enable Windchill to work with Microsoft Active Directory user objects, the following attribute-mapping properties must be set for user objects on the JNDI adapter definition:
mapping.user.objectClass=user
mapping.user.o=company
mapping.user.uid=sAMAccountName
mapping.user.uniqueIdAttribute=sAMAccountName
* 
The mapping values represents the attribute that gets mapped to the map identifier. For instance, the map identifier o is mapped to the attribute company.
* 
The uid is assumed to be unique since it is the user ID that is used to log on to the web server, therefore, the value specified for mapping.user.uniqueIdAttribute should always be the same value specified for mapping.user.uid.
* 
Different ActiveDirectory configurations, such as ADAM, do not automatically index attributes. If no index is created there is the possibility that performance may be affected. To reduce this possibility ensure that an index is created for the attribute that is mapped to mapping.user.uniqueIdAttribute.
The following attribute-mapping values are based on an out-of-the-box installation of a Microsoft Active Directory. The actual values you assign to these attribute-mapping properties might vary depending on your Microsoft Active Directory installation:
<service_name>.windchill.mapping.user.postalAddress=postalAddress
<service_name>.windchill.mapping.group.objectClass=group
<service_name>.windchill.mapping.user.uid=sAMAccountName
<service_name>.windchill.mapping.user.cn=cn
<service_name>.windchill.mapping.user.preferredLanguage=preferredLanguage
<service_name>.windchill.mapping.group.uniqueMember=member
<service_name>.windchill.mapping.user.mobile=mobile
<service_name>.windchill.mapping.group.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.group.description=description
<service_name>.windchill.mapping.user.mail=mail
<service_name>.windchill.mapping.user.facsimileTelephoneNumber=facsimileTelephoneNumber
<service_name>.windchill.mapping.user.sn=sn
<service_name>.windchill.mapping.user.objectClass=user
<service_name>.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.user.userCertificate=userCertificate
<service_name>.windchill.mapping.user.o=company
<service_name>.windchill.mapping.user.attributes=objectGUID
The following properties are optional Microsoft Active Directory attribute mappings:
<service_name>.windchill.mapping.user.preferredLanguage=localeID
<service_name>.windchill.mapping.user.labeledURI=wWWHomePage
The following tables list the default attributes for Microsoft Active Directory user objects as compared to Windchill values:
Windchill and Microsoft Active Directory User Object Class
Windchill Default LDAP User Object Class
Microsoft Active Directory User Object Class
inetOrgPerson
user
* 
Some mapping values for Microsoft Active Directory might vary depending on the Active Directory schema in use, which varies based on the release level of Windows being used.
Windchill and Microsoft Active Directory User Attributes
Windchill Default LDAP User Attribute
Microsoft Active Directory User Attribute
cn
cn
mail
mail
postalAddress
Out-of-the-box postalAddress is supported for the Microsoft Active Directory user object class, however Microsoft Active Directory does not set postalAddress. Instead, it uses several individual attributes: street address, location, postal code, and country.
* 
If the value specified for this attribute contains $ character and the property <jndiAdapterName>.<webAppName>.config.directoryType is set to ADS, then the $ character will be replaced by a new line. For more information about configuring this property, see JNDI Adapter Properties.
To enable Windchill to see a postalAddress value, do one of the following: 1) all address information has to be assigned to the user object’s postalAddress attribute, or 2) another attribute can be used to consolidate all of the address information and then that attribute can be mapped to postalAddress on the JNDI adapter definition.
preferredLanguage
Out-of-the-box Microsoft Active Directory does not have a preferredLanguage attribute for user objects. Windchill will not see a preferredLanguage value unless your Microsoft Active Directory installation is configured to set one of the user object’s attributes to a preferred language value and then that attribute is mapped to preferredLanguage on the JNDI adapter definition.
sn
sn
uid
An out-of-the-box Microsoft Active Directory does not have a uid attribute for user objects. Instead there are two attributes that contain the user ID (uid) information:
The first is sAMAccountName, which is the user ID itself.
The second is userPrincipalName, which is the user ID with the domain appended (for example, user@myco.com).
To enable Windchill to see a uid value, one of these attributes has to be mapped to uid on the JNDI adapter definition. Use the attribute that corresponds to the user ID format that is passed along by your web server.
userPassword
Out-of-the-box userPassword is supported for the Microsoft Active Directory user object class, but the Microsoft Active Directory does not set userPassword.
Windchill will not see a userPassword value unless your Microsoft Active Directory installation sets it (or sets another attribute that you map to userPassword on the JNDI adapter definition).
userCertificate
userCertificate
o
The Microsoft Active Directory schema supports o as an optional attribute for the user object class. However, o typically might not be set by the Active Directory. Therefore, by default, Windchill maps o to company. You can change this mapping if necessary.
telephoneNumber
telephoneNumber
facsimileTelephoneNumber
facsimileTelephoneNumber
mobile
mobile
labeledURI
Out-of-the-box Microsoft Active Directory does not have a labeledURI attribute for user objects. Instead there is the wWWHomePage attribute that contains the same information. To enable Windchill to see a labeledURI value, wWWHomePage can be mapped to labeledURI on the JNDI adapter definition.
Additional Attributes
If Active Directory is selected as the default LDAP service, an additional attribute objectGUID is pre-populated by default. This attribute is mandatory for Active Directory. Multiple additional attributes can be specified as a comma-separated list.
The objectGUID is used to uniquely identify a user in the Active Directory. The JNDI adapter configuration file is updated to have the following entry:
<service_name>.windchill.mapping.user.attributes=<commaSeparatedValues>.
Microsoft Active Directory Group Object LDAP Attributes
Windchill Default LDAP Group Object Class
Microsoft Active Directory Group Object Class
groupofUniqueNames
group
Windchill and Microsoft Active Directory Group Attributes
Windchill Default LDAP Group Attribute
Microsoft Active Directory Group Attribute
cn
cn
description
description
uniqueMember
The out-of-the-box Microsoft Active Directory does not have a uniqueMember attribute for group objects. Instead there is the member attribute. To enable Windchill to see Microsoft Active Directory group members, map the member attribute to uniqueMember on the JNDI adapter definition.
To enable Windchill to work with Microsoft Active Directory group objects and group members, the following attribute-mapping properties must be set for group objects on the JNDI adapter definition:
mapping.group.cn=cn
mapping.group.objectClass=group
mapping.group.uniqueMember=member
Was this helpful?