Agent Installation and Configuration > Windchill RV&S Agent Security > Setting Up LDAP-compliant Security Realm
  
Setting Up LDAP-compliant Security Realm
If you are using a security scheme with a Kerberos or LDAP authentication domain, you must set up your security realm. To set up your security realm, do the following:
Set up the properties for your realm.
Review the batch size for the number of entries returned by the directory server.
If required, set up the realm to use a Secure Sockets Layer.
Review the failover settings.
Setting Up Security Realm Properties
You set up properties for your LDAP-compliant security realm in the security.properties file. Typical settings are pre configured for each of the following supported realms:
OpenLDAP server
Microsoft Active Directory Services (ADS)
Netscape Directory Server
RFC 2307-based schemas on all supported servers
Novell Directory Services
To set up the Windchill RV&S Agent to communicate with your security realm, uncomment the properties that correspond to your security realm, and then edit the properties documented in this topic for server, user, group, and membership.
You should be familiar with how your LDAP-compliant security realm is implemented. At a minimum, you should be familiar with Distinguished Names (DN), LDAP search filters, and LDAP schemas.
For more information on the properties for your security realm, refer to the LDAP documentation or to some of the resources available on the Web.1
* 
Windchill RV&S Agent provides support for the password expiry feature of the LDAP v3 security realm. The only LDAP servers that support this functionality are Sun One/iPlanet/Netscape Directory Servers.
LDAP Bind Credential Properties
These settings establish the LDAP bind credential used when enumerating users and groups.
Property
Description
ldap.host
Host name (or IP address) of LDAP server.
ldap.port
LDAP server port to connect to. By default, server.port is 389 for connections using clear protocol and 636 for connections using private protocol.
ldap.principal
Distinguished Name (DN) of user/principal used to connect to LDAP server. Principal should be an unprivileged user (that is, principal should have read-only access).
ldap.credential
Password of above user/principal.
If you want to follow LDAP referrals, specify the additional server addresses using the following format:
ldap.host.1=<host1>
ldap.principal.1=<principaluser>
ldap.credential.1=<principleuserpassword> ldap.host.2=<host2>
ldap.principal.2=<principaluser
ldap.server.credential.2=<principaluserpassword>
If a referral is not specified in this list, it will not be followed.
The host name is looked up using DNS, and the failover mechanism applies.
User Properties
These settings define where to find users in the directory.
Property
Description
ldap.user.dn
One or more base Distinguished Names (DN) for searching users.
ldap.user.filter
LDAP search filters to match user entries (where %u is substituted for user).
ldap.user.scope
Range for searching users. Allowed values are subtree, one-level, or base. By default, ldap.user.scope=subtree.
ldap.user.name
Name or user ID of user.
ldap.user.displayname
Full name for user. Specifying this property turns on full name.
ldap.user.e-mail
E-mail address for user.
Property not defined for rfc 2307 realms.
ldap.user.objectclass
Object class value that indicates object is user.
If you are using a security scheme with a Windows security realm, the default setting for the user.filter entry uses the pre-Windows 2000 method of authentication which typically uses the user’s short login, for example, mkern. If users want to log in using their e-mail address (for example, mkern@mks.com), you must change this entry by substituting the mail attribute for samaccountname in both the ldap.user.filter and ldap.user.name properties, for example:
ldap.user.filter=(&(mail=%u)(objectclass=user) (objectcategory=person))
ldap.user.scope=subtree
ldap.user.name=mail
ldap.user.displayname=displayName
ldap.user.e-mail=mail
ldap.user.objectclass=user
Some LDAP-compliant security realms do not allow queries with more than 1000 results. If you have a large number of users, you should set up multiple DNs to send multiple queries with smaller results. For example, if there are smaller contexts with less than 1000 users, you could create several, more specific DNs:
user.dn.1=ou=support,ou=users,dc=northamerica,dc=support,dc=com
user.dn.2=ou=boston,ou=users,dc=northamerica,dc=support,dc=com
user.dn.3=ou=qa,ou=users,dc=northamerica,dc=support,dc=com
user.dn.4=ou=development,ou=users,dc=northamerica,dc=support,dc=com
You only need to list users who connect to the Windchill RV&S Agent.
Member Properties
These settings define where to find members of groups in the directory.
Property
Description
ldap.member.dn
One or more base Distinguished Names for searching group members (where %M is substituted with value of member name/DN for group).
ldap.member.filter
Filter to resolve member (where %M is substituted with value of member name/DN for group).
ldap.member.scope
Range for searching members. Allowed values are subtree, one-level, or base.
Organizational Unit Properties
These settings define the object class name and display name for an organizational unit.
Property
Description
ldap.ou.objectclass
Object class name for organizational unit.
ldap.ou.name
Display name for organizational unit.
1 General LDAP documentationhttp://www.umich.edu/~dirsvcs/ldap/doc/Microsoft Active Directory Serverhttp://www.microsoft.com/windows2000/technologies/directory/ad/default.asp#section8OpenLDAPhttp://www.openldap.org/Novell Directory Services for Windowshttp://developer.novell.com/edirectory/ndsldap.htmRFC 2307http://www.ietf.org/rfc/rfc2307.txt