User and Group LDAP Attribute Value Mapping
Windchill uses a subset of user and group LDAP attributes that are defined in a LDAP V3 compliant schema. Your directory might not use the exact directory attributes for user and group entries that Windchill expects by default.
When using an enterprise directory for users or groups, you might need to modify which attributes are used in the directory or modify which LDAP object classes define users and groups. This means that when you configure the JNDI adapter you must provide additional attribute-mapping properties to map the default Windchill user and group attributes to the corresponding user and group attributes used by your LDAP directory.
You can map property attributes using the Additional Properties section of the LDAP entry form:
The value you enter is saved in the named JNDI configuration property. After the properties are reloaded, they are then used by the directory service.
When mapping property attributes in the JNDI adapter, the following formats are used to specify the user, group, and organization attribute properties:
Principal | Property Format |
|---|---|
User | <service_name>.windchill.mapping.user.<map_identifier> |
Group | <service_name>.windchill.mapping.group.<map_identifier> |
Organization | <service_name>.windchill.mapping.org.<map_identifier> |
where:
<service_name> is the service name specified for the adapter (the Service Name field in the LDAP property form)
<map_identifier> is the attribute or value that you want to map
The following scenario illustrates how you might set the object class for users:
• You have assigned the JNDI adapter a service name of EnterpriseDirectory1.
• In Windchill, the map identifier when setting the object class property is objectClass.
• You are mapping this property for users, therefore specify the format windchill.mapping.user.
• The default object class value in Windchill is “inetOrgPerson,” but you want to set the value to “organizationalPerson.”
To set this property, you would complete the following actions under the Additional Properties section of the LDAP entry form:
1. In the Property field enter:
EnterpriseDirectory1.windchill.mapping.user.objectClass
2. In the Value field, enter:
organizationalPerson
3. Click Add.
Default User and Group LDAP Attribute Values
The following sections list the default group LDAP object class and attributes used by Windchill and the corresponding object class and attributes used for group objects in other LDAP directories. For Microsoft Active Directory-specific values, see the section Microsoft Active Directory Attribute Mapping for User and Group Objects.
User Object LDAP Attribute Values
The default value in Windchill assigned to the LDAP user object class:
Windchill User Object Class | ||
|---|---|---|
<map_identifier> | Description | LDAP Object Class Default Value |
objectClass | Specifies the LDAP object class value that defines users in the directory service. | inetOrgPerson |
The following table lists the default LDAP values for user objects recognized by Windchill. If necessary, use the <map_identifier> to change the corresponding default attribute value for your LDAP directory:
Windchill LDAP User Attributes | ||
|---|---|---|
<map_identifier> | Description | Default Value |
cn | Identifies the attribute that holds the full name (“common name”) of a user in the directory service | cn |
certificateType | Specifies the type of user certificates that are registered in the directory service. | X.509 |
mail | Identifies the attribute that holds the email address of a user in the directory service. | mail |
postalAddress | Identifies the attribute that holds the postal address of a user in the directory service. | postalAddress |
preferredLanguage | Identifies the attribute that holds the preferred language of a user in the directory service. | preferredLanguage |
sn | Identifies the attribute that holds the surname of a user in the directory service. | sn |
o | Identifies the attribute that holds the organization to which a user in the directory service belongs. You can also set the user initial organization name using the usersOrganizationName. For more information, see the section Set Additional Properties in Create and Configure the JNDI Adapter. | o |
uid | Identifies the attribute that holds the user ID (usually used as login ID) of a user in the directory service. | uid |
uniqueIdAttribute | Identifies the attribute that uniquely identifies a user in the directory service. | uid |
userCertificate | Identifies the attribute that provides the user certificate of a user in the directory service. | userCertificate |
telephoneNumber | Identifies the attribute that holds the primary telephone number of the user. | telephoneNumber |
mobile | Identifies the attribute that holds the cell phone number of the user. | mobile |
facsimileTelephoneNumber | Identifies the attribute that holds the fax number of the user. | facsimileTelephoneNumber |
labledURI | Identifies the attribute that holds the URL of the website of the user. | labledURI |
Group Object LDAP Attribute Values
The default value in Windchill assigned to the LDAP group object class:
Windchill Group Object Class | ||
|---|---|---|
<map_identifier> | Description | Default LDAP Object Class |
objectClass | Specifies the LDAP object class value that defines groups in the directory service. | groupOfUniqueNames |
The following table lists the default LDAP values for group objects recognized by Windchill. If necessary, use the <map_identifier> to change the corresponding default attribute value for your LDAP directory:
Windchill LDAP Group Attributes | ||
|---|---|---|
<map_identifier> | Description | Default Value |
cn | Identifies the attribute that holds the names of groups in the directory service. | cn |
description | Identifies the attribute that holds the descriptive text about groups in the directory service. | description |
filter | Specifies an additional expression that is be added to all LDAP search filters used in querying groups that use this JNDI adapter. By default, no additional expression is added. Example: (ou=Engineering) You can also set the filter using the existing JNDI searchFilter property. | |
uniqueIdAttribute | Identifies the attribute that holds the unique names of groups in the directory service. | cn |
uniqueMember | Identifies the attribute that defines members of groups in the directory service. | uniqueMember |
Microsoft Active Directory Attribute Mapping for User and Group Objects
To enable Windchill to work with Microsoft Active Directory user objects, the following attribute-mapping properties must be set for user objects on the JNDI adapter definition:
mapping.user.objectClass=user
mapping.user.o=company
mapping.user.uid=sAMAccountName
mapping.user.uniqueIdAttribute=sAMAccountName
 | The mapping values represents the attribute that gets mapped to the map identifier. For instance, the map identifier o is mapped to the attribute company. |
| | The uid is assumed to be unique since it is the user ID that is used to log on to the web server, therefore, the value specified for mapping.user.uniqueIdAttribute should always be the same value specified for mapping.user.uid. |
 | Different ActiveDirectory configurations, such as ADAM, do not automatically index attributes. If no index is created there is the possibility that performance may be affected. To reduce this possibility ensure that an index is created for the attribute that is mapped to mapping.user.uniqueIdAttribute. |
The following attribute-mapping values are based on an out-of-the-box installation of a Microsoft Active Directory. The actual values you assign to these attribute-mapping properties might vary depending on your Microsoft Active Directory installation:
<service_name>.windchill.mapping.user.postalAddress=postalAddress
<service_name>.windchill.mapping.group.objectClass=group
<service_name>.windchill.mapping.user.uid=sAMAccountName
<service_name>.windchill.mapping.user.cn=cn
<service_name>.windchill.mapping.user.preferredLanguage=preferredLanguage
<service_name>.windchill.mapping.group.uniqueMember=member
<service_name>.windchill.mapping.user.mobile=mobile
<service_name>.windchill.mapping.group.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.group.description=description
<service_name>.windchill.mapping.user.mail=mail
<service_name>.windchill.mapping.user.facsimileTelephoneNumber=facsimileTelephoneNumber
<service_name>.windchill.mapping.user.sn=sn
<service_name>.windchill.mapping.user.objectClass=user
<service_name>.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.user.userCertificate=userCertificate
<service_name>.windchill.mapping.user.o=company
<service_name>.windchill.mapping.user.attributes=objectGUID
<service_name>.windchill.mapping.group.objectClass=group
<service_name>.windchill.mapping.user.uid=sAMAccountName
<service_name>.windchill.mapping.user.cn=cn
<service_name>.windchill.mapping.user.preferredLanguage=preferredLanguage
<service_name>.windchill.mapping.group.uniqueMember=member
<service_name>.windchill.mapping.user.mobile=mobile
<service_name>.windchill.mapping.group.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.group.description=description
<service_name>.windchill.mapping.user.mail=mail
<service_name>.windchill.mapping.user.facsimileTelephoneNumber=facsimileTelephoneNumber
<service_name>.windchill.mapping.user.sn=sn
<service_name>.windchill.mapping.user.objectClass=user
<service_name>.windchill.mapping.user.uniqueIdAttribute=sAMAccountName
<service_name>.windchill.mapping.user.userCertificate=userCertificate
<service_name>.windchill.mapping.user.o=company
<service_name>.windchill.mapping.user.attributes=objectGUID
The following properties are optional Microsoft Active Directory attribute mappings:
<service_name>.windchill.mapping.user.preferredLanguage=localeID
<service_name>.windchill.mapping.user.labeledURI=wWWHomePage
<service_name>.windchill.mapping.user.labeledURI=wWWHomePage
The following tables list the default attributes for Microsoft Active Directory user objects as compared to Windchill values:
Windchill Default LDAP User Object Class | Microsoft Active Directory User Object Class |
|---|---|
inetOrgPerson | user |
| | Some mapping values for Microsoft Active Directory might vary depending on the Active Directory schema in use, which varies based on the release level of Windows being used. |
Windchill Default LDAP User Attribute | Microsoft Active Directory User Attribute | ||
|---|---|---|---|
cn | cn | ||
mail | mail | ||
postalAddress | Out-of-the-box postalAddress is supported for the Microsoft Active Directory user object class, however Microsoft Active Directory does not set postalAddress. Instead, it uses several individual attributes: street address, location, postal code, and country.
To enable Windchill to see a postalAddress value, do one of the following: 1) all address information has to be assigned to the user object’s postalAddress attribute, or 2) another attribute can be used to consolidate all of the address information and then that attribute can be mapped to postalAddress on the JNDI adapter definition. | ||
preferredLanguage | Out-of-the-box Microsoft Active Directory does not have a preferredLanguage attribute for user objects. Windchill will not see a preferredLanguage value unless your Microsoft Active Directory installation is configured to set one of the user object’s attributes to a preferred language value and then that attribute is mapped to preferredLanguage on the JNDI adapter definition. | ||
sn | sn | ||
uid | An out-of-the-box Microsoft Active Directory does not have a uid attribute for user objects. Instead there are two attributes that contain the user ID (uid) information: • The first is sAMAccountName, which is the user ID itself. • The second is userPrincipalName, which is the user ID with the domain appended (for example, user@myco.com). To enable Windchill to see a uid value, one of these attributes has to be mapped to uid on the JNDI adapter definition. Use the attribute that corresponds to the user ID format that is passed along by your web server. | ||
userPassword | Out-of-the-box userPassword is supported for the Microsoft Active Directory user object class, but the Microsoft Active Directory does not set userPassword. Windchill will not see a userPassword value unless your Microsoft Active Directory installation sets it (or sets another attribute that you map to userPassword on the JNDI adapter definition). | ||
userCertificate | userCertificate | ||
o | The Microsoft Active Directory schema supports o as an optional attribute for the user object class. However, o typically might not be set by the Active Directory. Therefore, by default, Windchill maps o to company. You can change this mapping if necessary. | ||
telephoneNumber | telephoneNumber | ||
facsimileTelephoneNumber | facsimileTelephoneNumber | ||
mobile | mobile | ||
labeledURI | Out-of-the-box Microsoft Active Directory does not have a labeledURI attribute for user objects. Instead there is the wWWHomePage attribute that contains the same information. To enable Windchill to see a labeledURI value, wWWHomePage can be mapped to labeledURI on the JNDI adapter definition. | ||
Additional Attributes | If Active Directory is selected as the default LDAP service, an additional attribute objectGUID is pre-populated by default. This attribute is mandatory for Active Directory. Multiple additional attributes can be specified as a comma-separated list. The objectGUID is used to uniquely identify a user in the Active Directory. The JNDI adapter configuration file is updated to have the following entry: <service_name>.windchill.mapping.user.attributes=<commaSeparatedValues>. |
Microsoft Active Directory Group Object LDAP Attributes
Windchill Default LDAP Group Object Class | Microsoft Active Directory Group Object Class |
|---|---|
groupofUniqueNames | group |
Windchill Default LDAP Group Attribute | Microsoft Active Directory Group Attribute |
|---|---|
cn | cn |
description | description |
uniqueMember | The out-of-the-box Microsoft Active Directory does not have a uniqueMember attribute for group objects. Instead there is the member attribute. To enable Windchill to see Microsoft Active Directory group members, map the member attribute to uniqueMember on the JNDI adapter definition. |
To enable Windchill to work with Microsoft Active Directory group objects and group members, the following attribute-mapping properties must be set for group objects on the JNDI adapter definition:
mapping.group.cn=cn
mapping.group.objectClass=group
mapping.group.uniqueMember=member