Entering Your LDAP Settings
Default LDAP which could be an active directory or other V3 compliant LDAP server is required for managing Windchill users. It can also optionally manage Windchill groups information.
* 
The Windchill administrator is responsible to ensure the configuration and management of the LDAP V3 directory is secure. PTC strongly recommends the use of defense-in-depth when configuring the LDAP infrastructure.This includes, but is not limited to:
Use of strong RBAC (Role-Based Access Control), following the principle of least privilege. Administrative logins should be limited.
Configure LDAPS, ensuring data is encrypted in transit.
Restrict remote access, open only the ports and protocols necessary for expected operations.
Ensure that the latest security patches are applied.
Host LDAP on a separate server within the corporate network and not on the same server that hosts the Windchill application.
If LDAP is deployed on same server as the Windchill, block the ports that are not required. Make sure not to expose these ports to the internal corporate network or internet.
Avoid exposing the LDAP server to the internet.
* 
Depending on the product you are installing, the default LDAP directory structure is different.
Starting Windchill 12.0.2.0, PTC Solution Installer provides the option to select LDAP or LDAPS as Directory Access control. To use LDAPS, you must obtain or generate a certificate used to provide proof of server identity. For production use, PTC recommends that a certificate be obtained from a trusted Certificate Authority. For testing purposes, you can generate a self-signed certificate using any supported utility of Java.
Configuring your system to use LDAPs enables encryption of LDAP data during any communication with the directory server (between Microsoft Entra ID/Active Directory and the HTTP server). Windchill now supports authentication and communication with Microsoft Entra ID. To support Microsoft Entra ID for configuring SSO or to have Microsoft Entra ID as directory server, you are required to install Windchill with LDAPS. Windchill does not support direct communication with Microsoft Entra ID repository using LDAP/LDAPs which is the only supported protocol. You are required to configure Microsoft Entra ID Domain Services (AADDS) to support authentication and communication. AAD principals are synced to AADDS. If you are using Microsoft Active directory/ AADDS, userID (UID) attribute is required to be mapped to sAMAccountName or userPrincipalName. The mapping depends on your authentication configuration of using SSO or basic authentication respectively.
The Microsoft Entra ID Domain Services AADDS cannot authenticate the guest users. AADDS can authenticate only the users with User type as Members.
Make sure to provide correct certificate information or the installation is likely to fail. For cluster setup on Unix operating system, make sure to copy all the certificates at the same location for all the cluster nodes. It is suggested to keep the certificates inside <APACHE_HOME>. PSI allows you to specify the following entities on Unix operating system:
Input values for Unix Operating System
Option
Description
Location
The location of the trusted certificate/self-signed certificate that resides in the JVM keystore at Certificates for LDAPS > Location. Make sure that you provide a valid certificate with an appropriate extension. This field should not be empty.
Type
Type of the certificate encryption.
Password
This is required only if an associated password is available.
LdapVerify Server Certificate
Option to enable or disable the verification of server certificate. Default value is Off.
In the Define Settings section, enter your LDAP settings:
Option
Description
LDAP Service
Select this option if the enterprise node is ADS. Otherwise, select other V3 compliant LDAP.
As soon as you select ADS, the following options later in this section are highlighted. See Default User Mappings for ADS Attributes.
LDAP Adapter Name
Single LDAP Adapter can be configured.
LDAP Server Host Name
<hostname>.<domain> is the default.
Base Distinguished Name for LDAP Users
The base distinguished name for the LDAP Users. The setup program creates the directory using the distinguished name that you specify.
The following default values are set for you during the new installation. You cannot change these values during a new installation.
Option
Default
Description
LDAP Server Port
389
Defines the port number that the LDAP listens on for requests.
LDAP User Distinguished Name
Specifies a user node in the LDAP hierarchy that contains all users in the directory that should be visible to Windchill.
LDAP Password
LDAP administrator’s password.
Define the settings for the default LDAP server:
LDAP Service
Option
Default
Description
LDAP Service
Active Directory Service (ADS)
Select this option if the enterprise node is ADS. Otherwise, select other V3 compliant LDAP.
As soon as you select ADS, the following options later in this section are highlighted. See Default User Mappings for ADS Attributes.
Windchill Privileges for Repository
Read Only.
You can opt for load demo user only if Read and Write options are selected.
Repository Contains
Users
Select the option as per the requirement. Select either the Users or Groups check box.
Depending on the option selected, the application will consider the users or groups defined in this Enterprise LDAP when determining access to Windchill.
If the repository is read-only, the application will not attempt to manage users and groups in the repository.
LDAP Connection
Bind as User
Specifies the bind method used to connect to the Enterprise repository.
Two options are available:
Bind as Anonymous—this option does not require a user name to read the contents of the repository.
Bind as User—this option binds the specified user to the directory. This user must exist in the LDAP.
User Filter
To filter users.
Only those users who are selected here are searchable through Windchill
Examples:
If the Enterprise Node is V3 compliant LDAP:
uid= *(searches for all users)
or
uid= ne* (searches for all users with the name starting with ne).
If the Enterprise Node is ADS:
cn=* (searches for all users)
or
cn=ne*(searches for all users with the name starting with ne)
* 
You can modify this criteria after installation by going to Site > Utilities > Info*Engine Administrator and selecting the respective Enterprise Adapter.
Group Filter
To filter groups.
Only those groups who are selected here are searchable through Windchill.
Examples:
If the Enterprise Node (LDAP) is:
cn=*(Searches for all Groups)
or
cn=gr* (Searches for all Groups with the name starting with gr).
If the Enterprise Node is ADS:
cn=*(Searches for all Groups)
or
cn=gr*(Searches for all Groups with the name starting with gr), and so on.
* 
You can modify this criteria after installation by going into Site > Utilities > Info*Engine and selecting the respective Enterprise Adapter.
LDAP Server Attribute Mapping to Windchill Attributes
Attribute mapping is configured in the LDAP Adapters. The values supplied here are stored in the LDAP Adapter definition. An option provides automatic addition of a default set for ADS. ADS can not be used without specifying a default set. The defaults can be adjusted to suit a site’s needs. If a site requires, mappings can be defined in any configured LDAP Adapter by consulting Configuring Additional Enterprise Directories.
Default User Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name/value.
Option
Default
Object Class
user
Organization Name
company
Unique Identifier
sAMAccountName
Unique Identifier Attribute
sAMAccountName
Common Name
cn
E-Mail Address
mail
Surname
sn
User Certificate
userCertificate
Telephone Number
telephoneNumber
Fax Number
facsimileTelephoneNumber
Mobile Phone Number
mobile
Postal Address
postalAddress
Preferred Language
preferredLanguage
Additional Attribute
objectGUID
Descriptions for these fields can be found in Configuring Additional Enterprise Directories.
* 
By default, both the unique identifier attribute and the unique identifier can have the same value; however, the unique identifier attribute must always point to an attribute that holds a unique value. If you do not have multiple subdomains in your ADS configuration, and you know that the sAMAccountName is unique within a single domain, then you can use the default value for your unique identifier attribute. If the values for your sAMAccountName are not unique, then you should use the userPrincipalName for your unique identifier attribute.
Default Group Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name.
Option
Default
Unique Identifier Attribute
sAMAccountName
Description
description
Object Class
group
Unique Member
member
Descriptions for these fields can be found in Configuring Additional Enterprise Directories.
Was this helpful?