Installation and Upgrade > Installation and Configuration Guide > Using the PTC Solution Installer > Installing Windchill Solutions > Launching the PTC Solution Installer > Entering Your LDAP Settings
  
Entering Your LDAP Settings
Windchill Directory Server is an LDAP-compliant enterprise directory that is bundled with Windchill. Windchill Directory Server is required for managing Windchill operation definitions. It can also optionally manage Windchill user information.
When installing Windchill Directory Server on a separate machine from your Windchill solution, Windchill Directory Server requires a locally installed Java SE Development K (JDK).
* 
The Windchill Directory Server must be installed on local disk. It must not be installed on NFS mounts, or other non-local disk. Attempting to install the Windchill Directory Server on non—local storage can cause data corruption, file locking issues and startup failures. In addition, antivirus software must be turned off or be configured to avoid scanning in the Windchill Directory Server installation directory.
The LDAP settings create a default LDAP directory structure similar to the following:
* 
Depending on the product you are installing, the default LDAP directory structure is different.
In the Define Settings section, enter your LDAP settings:
Option
Description
LDAP Server DNS Registered Host Name
<hostname>.<domain> is the default.
LDAP Server Administrator Distinguished Name
The distinguished name for the Windchill Directory Server administrator. The setup program creates the directory using the distinguished name that you specify.
cn=Manager is the default
LDAP Server Administrator Password
Windchill Directory Server administrator’s password. Semicolons are restricted characters and cannot be used in administrator passwords.
Confirm LDAP Server Administrator Password
Specify the same password that you specified for the Administrator’s password.
The following default values are set for you during the Express installation. You cannot change these values during an Express installation.
Option
Default
Description
LDAP Server Port Number
389
Defines the port number that the Windchill Directory Server listens on for requests.
* 
If both Windchill Directory server and Active Directory are to be run on the same host, use a different port than 389 or there will likely be a conflict with the running Active Directory server, which defaults to port 389 for non-SSL communication.
Base Distinguished Name for Product Properties
cn=configuration,
cn=Windchill_10.0,
o=<myCompany>
Defines the distinguished name of the top subtree LDAP entry under which Windchill configuration LDAP entries reside.
Base Distinguished Name for Administrative Users
ou=people,
cn=AdministrativeLdap,
cn=Windchill_10.0,
o=<mycompany>
Specifies a base node in the Administrative Directory hierarchy that contains all users in the directory that should be visible to Windchill.
Base Distinguished Name for Enterprise Users
ou=people,
cn=EnterpriseLdap,
cn=Windchill_10.0,
o=<mycompany>
Specifies a base node in the Enterprise Directory hierarchy that contains all users in the directory that should be visible to Windchill.
* 
This option does not apply when a solution is installed standalone.
* 
Refer to the section Preparing Enterprise LDAP for Installation Data Load before setting this option.
Enterprise User entries are in the Enterprise LDAP
No
Specifies whether user definitions are stored in the enterprise LDAP.
Windchill Directory Server Directory Suffix
o=Company Name
Defines the LDAP base distinguished name under which the entire set of Windchill created entries will be stored.
Windchill Directory Server Administrator Port
4444
The port number that is used by the Windchill Directory Server control-panel to administer Windchill Directory Server..
Windchill Directory Server JMX Access Port Number
1689
The port number used by JMC clients to retrieve Windchill Directory Server usage data. The standard JMX clients, JConsole or VisualVM, can be used to connect to Windchill Directory Server on this port.
Define the settings for the Windchill Directory Server LDAP directory:
* 
The following is a complete list of possible options; some may not appear depending on whether you are installing WDS on the same server with Windchill or standalone.
Option
Default
Entry
LDAP Server DNS Registered Host Name
<hostname>.<domain>
<hostname>.<domain> is the default.
LDAP Server Port Number
389
Define the port number that the Windchill Directory Server server listens on for requests.
LDAP Server Administrator Distinguished Name
cn=Manager
The distinguished name for the Windchill Directory Server administrator. The setup program creates the directory using the distinguished name that you specify.
LDAP Server Administrative Password
Windchill Directory Server administrator’s password
Confirm LDAP Server Administrative Password
Specify the same password that you specified for the Administrator’s password.
* 
This field only appears when installing a new Windchill Directory Server LDAP Server.
LDAP Server Base DN
o=PTC
Defines the LDAP base distinguished name under which the entire set of Windchill created entries will be stored. This is the base Organization name. Organizations with other names can be created later within Windchill if a multi-organization deployment is required. Enter the base name (for example: mycompany) as the value after “o=” in the Base Distinguished Name for Product Properties and Base Distinguished Name for Administrative Users fields.
LDAP Server Administrator Port
4444
The port number that is used by the Windchill Directory Server control-panel to administer Windchill Directory Server.
LDAP Server JMX Access Port Number
1689
The port number used by JMX clients to retrieve Windchill Directory Server usage data. The standard JMX clients, JConsole or VisualVM, can be used to connect to Windchill Directory Server on this port.
Base Distinguished Name for Product Properties
cn=configuration,
cn=Windchill_10.0,
o=PTC
Define the distinguished name of the top subtree LDAP entry under which Windchill configuration LDAP entries reside.
You can enter any unique base unless you entered a context name as part of the distinguished name entered here. By default, a no context name was required when you installed Windchill Directory Server.
Base Distinguished Name for Administrative Users
ou=people,
cn=AdministrativeLdap,
cn=Windchill_10.0,
o=ptc
Define the distinguished name of the LDAP subtree under which Administrative LDAP entries reside. Users and groups under this subtree will be visible to Windchill.
You can edit this field to change the suggested name.
Base Distinguished Name for Enterprise Users
ou=people,
cn=EnterpriseLdap,
cn=Windchill_10.0,
o=ptc
Define the distinguished name of an LDAP subtree under which Enterprise LDAP entries reside. Users and groups under this subtree will be visible to Windchill. If a separate LDAP server such as Active Directory is to be used as the source of Windchill usernames and passwords, set this value to the location where Windchill users are located in this other LDAP server. If there are multiple branches in the LDAP, set the value to the base of all branches. The bind user (to be entered later) must have at least read permission to the location. For example:cn=Users,dc=atwood,dc=com
* 
Enable Separate Enterprise LDAP Server
This option is not selected by default. When you do not select the check box, the default settings for the JNDI Adapter Settings appear.
Specifies whether the enterprise subtree is in a separate LDAP Server (for example, a site corporate LDAP server).
If you select the check box, the next screen displays settings for the separate LDAP server. Specify the settings for the LDAP server you wish to use.
See these settings later in this section.
* 
Refer to the section Preparing an Enterprise LDAP Including Active Directory before setting this option.
The following list contains enterprise LDAP options:
Option
Default
Description
Enterprise Repository LDAP Server Host Name
<hostname><domainname>
Host name to connect to the Enterprise LDAP Server. An Enterprise LDAP can exist on a local or remote machine. You can use either a V3 Compliant LDAP or an existing Microsoft Active Directory Service (ADS) for this.
Enterprise Repository LDAP Server Port
389
The port number that Windchill will use to communicate with the enterprise LDAP server.
LDAP Connection
Bind as User
Specifies the bind method used to connect to the Enterprise Repository.
Two options are available:
Bind as Anonymous, which does not require a user name to read the contents of the repository.
Bind as User, which binds to the directory as the user specified. This user must exist in the Enterprise Repository LDAP.
Enterprise Repository LDAP User Distinguished Name
cn=Manager
Specify the distinguished name of an existing LDAP user. If the Enterprise LDAP Server is ADS, specify an existing ADS user in user@domain format.
Enterprise Repository LDAP Password
Enter the password of the specified user.
Windchill Privileges for Repository
Read,Write
Sets a flag indicating this is a read/write adapter.
If it is ADS, you can bind in only Read only mode. For other V3 compliant LDAP, you can choose: Read, Write.
The user specified earlier must have the corresponding privilege.
Repository contains
Users
Select either the User or Group check box.
Depending on the option selected, Windchill should consider the users/groups defined in this Enterprise LDAP when determining Windchill access.
If the respository is Read Only, Windchill does not attempt to manage users and groups in the repository.
LDAP Service
Option
Default
Description
LDAP Service
Active Directory Service (ADS)
Select this option if the enterprise node is ADS. Otherwise, select Other V3Compliant LDAP.
As soon as you select ADS, the following options later in this section are highlighted. See Default User Mappings for ADS Attributes.
Enterprise Adapter Name
<reverse hostname>.
EnterpriseLDAP
Change only the text "EnterpriseLDAP in this field.
User Filter
To filter users.
Only those users who are selected here are searchable through Windchill
Examples:
If the Enterprise Node (LDAP) is Windchill Directory Server:
uid= *(searches for all users)
or
uid= ne* (searches for all users with the name starting with ne).
If the Enterprise Node is ADS:
cn=* (searches for all users)
or
cn=ne*(searches for all users with the name starting with ne)
* 
You can modify this criteria after installation by going to Site > Utilities > Info*Engine Administrator and selecting the respective Enterprise Adapter.
Group Filter
To filter groups.
Only those groups who are selected here are searchable through Windchill.
Examples:
If the Enterprise Node (LDAP) is Windchill Directory Server:
cn=*(Searches for all Groups)
or
cn=gr* (Searches for all Groups with the name starting with gr).
If the Enterprise Node is ADS:
cn=*(Searches for all Groups)
or
cn=gr*(Searches for all Groups with the name starting with gr), and so on.
* 
You can modify this criteria after installation by going into Site > Utilities > Info*Engine and selecting the respective Enterprise Adapter.
LDAP Server Attribute Mapping to Windchill Attributes
Attribute mapping is configured in the LDAP Adapters. The values supplied here are stored in the LDAP Adapter definition. An option is provided to allow the automatic addition of a default set for ADS. ADS can not be used without specifying a default set. The defaults can be adjusted to suit a site’s needs. For other LDAP V3 compliant LDAP directories no mappings are required. If a site requires, mappings can be defined in any configured LDAP Adapter by consulting Configuring Additional Enterprise Directories.
Default User Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name.
Option
Default
User Certificate
userCertificate
Unique Identifier Attribute
sAMAccountName
Telephone Number
telephoneNumber
Postal Address
postalAddress
Preferred Language
preferredLanguage
Common Name
cn
Surname
sn
Mobile Phone Number
mobile
E-Mail Address
mail
Object Class
user
Organization Name
company
Fax Number
facsimileTelephoneNumber
Unique Identifier
sAMAccountName
Descriptions for these fields can be found in Configuring Additional Enterprise Directories.
* 
By default, both the unique identifier attribute and the unique identifier can have the same value; however, the unique identifier attribute must always point to an attribute that holds a unique value. If you do not have multiple subdomains in your ADS configuration, and you know that the sAMAccountName is unique within a single domain, then you can use the default value for your unique identifier attribute. If the values for your sAMAccountName are not unique, then you should use the userPrincipalName for your unique identifier attribute.
* 
The most important required attribute after name and password is the Organization Name that is mapped to Company by default. This attribute should have a value set for each Active Directory user that is also a Windchill user (excepting Site Administrators). The value must match one of the existing Organizations that is configured in Windchill Directory Server.
Default Group Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name.
Option
Default
Unique Identifier Attribute
sAMAccountName
Description
description
Object Class
group
Unique Member
member
Descriptions for these fields can be found in Configuring Additional Enterprise Directories.
Starting the Windchill Directory Server
On both Windows and UNIX systems you will need to start the Windchill Directory Server every time you reboot the machine. For more information see Starting the Windchill Directory Server.