Agent Installation and Configuration > Windchill RV&S Agent Security > Setting Up LDAP-compliant Security Realm
Setting Up LDAP-compliant Security Realm
If you are using a security scheme with a Kerberos or LDAP authentication domain, you must set up your security realm. To set up your security realm, do the following:
Set up the properties for your realm.
Review the batch size for the number of entries returned by the directory server.
If required, set up the realm to use a Secure Sockets Layer.
Review the failover settings.
Setting Up Security Realm Properties
You set up properties for your LDAP-compliant security realm in the file. Typical settings are pre configured for each of the following supported realms:
OpenLDAP server
Microsoft Active Directory Services (ADS)
Netscape Directory Server
RFC 2307-based schemas on all supported servers
Novell Directory Services
To set up the Windchill RV&S Agent to communicate with your security realm, uncomment the properties that correspond to your security realm, and then edit the properties documented in this topic for server, user, group, and membership.
You should be familiar with how your LDAP-compliant security realm is implemented. At a minimum, you should be familiar with Distinguished Names (DN), LDAP search filters, and LDAP schemas.
For more information on the properties for your security realm, refer to the LDAP documentation or to some of the resources available on the Web.1
Windchill RV&S Agent provides support for the password expiry feature of the LDAP v3 security realm. The only LDAP servers that support this functionality are Sun One/iPlanet/Netscape Directory Servers.
LDAP Bind Credential Properties
These settings establish the LDAP bind credential used when enumerating users and groups.
Host name (or IP address) of LDAP server.
LDAP server port to connect to. By default, server.port is 389 for connections using clear protocol and 636 for connections using private protocol.
Distinguished Name (DN) of user/principal used to connect to LDAP server. Principal should be an unprivileged user (that is, principal should have read-only access).
Password of above user/principal.
If you want to follow LDAP referrals, specify the additional server addresses using the following format:<host1>
If a referral is not specified in this list, it will not be followed.
The host name is looked up using DNS, and the failover mechanism applies.
User Properties
These settings define where to find users in the directory.
One or more base Distinguished Names (DN) for searching users.
LDAP search filters to match user entries (where %u is substituted for user).
Range for searching users. Allowed values are subtree, one-level, or base. By default, ldap.user.scope=subtree.
Name or user ID of user.
Full name for user. Specifying this property turns on full name.
E-mail address for user.
Property not defined for rfc 2307 realms.
Object class value that indicates object is user.
If you are using a security scheme with a Windows security realm, the default setting for the user.filter entry uses the pre-Windows 2000 method of authentication which typically uses the user’s short login, for example, mkern. If users want to log in using their e-mail address (for example,, you must change this entry by substituting the mail attribute for samaccountname in both the ldap.user.filter and properties, for example:
ldap.user.filter=(&(mail=%u)(objectclass=user) (objectcategory=person))
Some LDAP-compliant security realms do not allow queries with more than 1000 results. If you have a large number of users, you should set up multiple DNs to send multiple queries with smaller results. For example, if there are smaller contexts with less than 1000 users, you could create several, more specific DNs:
You only need to list users who connect to the Windchill RV&S Agent.
Member Properties
These settings define where to find members of groups in the directory.
One or more base Distinguished Names for searching group members (where %M is substituted with value of member name/DN for group).
Filter to resolve member (where %M is substituted with value of member name/DN for group).
Range for searching members. Allowed values are subtree, one-level, or base.
Organizational Unit Properties
These settings define the object class name and display name for an organizational unit.
Object class name for organizational unit.
Display name for organizational unit.

1 General LDAP documentation Active Directory Server Directory Services for Windows 2307