Installation and Upgrade > Installation and Configuration Guide > Advanced Configurations > Configuring Additional Enterprise Directories > Integration with Established Enterprise Directory Services
  
Integration with Established Enterprise Directory Services
Windchill Organization Services is the Windchill subsystem that is responsible for providing and managing information about principals (users, groups, and organizations). Windchill Organization Services integrates with LDAP-based directories to obtain and maintain information about users, groups, and organizations. The primary source of information about every Windchill principal is the LDAP directory service. This level of integration with LDAP-based directories makes Windchill compatible with other enterprise applications that obtain information about principals from the LDAP directory service, including web servers, enterprise email, single sign-on solutions, and Public Key Infrastructure (PKI).
Directory-enabled administration of principals has a number of advantages including:
Enables single user sign-on across the enterprise. When multiple enterprise applications authenticate their users against a common, shared directory service, the concept of a single user sign-on is achieved. This avoids the necessity of creating and maintaining a separate username and password for each enterprise application (or each installation of Windchill deployed in an enterprise).
Minimizes the cost of administration. When multiple directory-enabled applications obtain their information about principals from a single, shared directory service, it becomes unnecessary to duplicate, maintain, or synchronize that information in multiple places. It also becomes unnecessary to deploy and maintain multiple user interfaces for creating and managing that information.
Enables Public Key Infrastructure. Secure exchange of business data based upon digital signature technology, both within and between enterprises, requires that public keys be registered in a place that is easy to access and maintain. Shared, standards-based directory services such as LDAP directories are very convenient registries for public keys. A person’s public key can be registered in a directory entry along with all of the other information that describes that person (for example, name, email and postal addresses, telephone and fax numbers, and so on).
User Information
The Windchill class wt.org.WTUser provides applications with information about their users. Every Windchill user must have an entry in an LDAP directory service. The information conveyed by an instance of wt.org.WTUser is obtained from the corresponding user’s LDAP directory entry. In particular, each instance of this class provides the following information about its user:
name
Specifies the unique name of the user within the scope of the directory context in which the user’s entry resides.
fullName
Specifies the user’s full name.
eMail
Specifies the user’s email address
locale
Specifies the user’s locale, primarily for generation of email notifications addressed to the user.
certificates
Specifies any public certificates registered for the user (for example, for verifying digital signatures or for encrypting information that only the user can decrypt).
postalAddress
Specifies the user’s postal address.
organizationName
Specifies the name of the organization (for example, company or university) with which the user is employed or associated.
telephoneNumber
Specifies the user’s telephone number.
faxNumber
Specifies the user’s fax number.
mobilePhoneNumber
Specifies the user’s cell phone number.
webSite
Specifies the URL of the user’s website.
Group Information
The Windchill class wt.org.WTGroup provides applications with information about related groups of users. Every Windchill group must have an entry in an LDAP directory service. The information conveyed by an instance of wt.org.WTGroup is obtained from the corresponding group’s LDAP directory entry. In particular, each instance of this class provides the following information about a group:
name
Specifies the unique name of the group within the scope of the directory context in which the entry of the group resides.
description
Provides descriptive text about the organization.
members
Specifies the users or groups that are members of the organization.
Organization Information
The Windchill class wt.org.WTOrganization provides applications with information about organizations (for example, companies, universities, government institutions). Every organization referenced by Windchill must have an entry in an LDAP directory service. The information conveyed by an instance of wt.org.WTOrganization is obtained from the corresponding LDAP directory entry of the organization. In particular, each instance of this class provides the following information about an organization:
name
Specifies the unique name of the organization within the scope of the directory context in which the entry of the organization resides.
organizationIdentifier
Specifies the globally unique identifier under which the organization is registered. This might be a DUNS number, ISO organization identifies, or cage code.
description
Provides descriptive text about the group.
members
Specifies the users or nested groups that are members of the group.
administrator
Specifies the user or group that serves as administrator of the organization.
classification
Specifies the business classification of the organization.
conferencingIdentifier
Specifies an identifier that is used in conjunction with the conferencingURL attribute to create or subscribe to meetings and conferences scheduled by the organization.
conferencingURL
Specifies the URL of a service that can be used to create or subscribe to meetings and conferences scheduled by the organization.
internetDomain
Specifies the name of the web domain associated with the organization.
location
Specifies the postal address of the organization.
subscriber
Specifies whether or not the organization is a subscriber to a web exchange hosted by Windchill.
webSite
Specifies the URL of the organization website.
While all of the detailed information about each user, group, and organization comes from an LDAP directory, some information about each one is also stored in the Windchill database. Each such database entry serves mainly as a pointer to an LDAP directory entry, but it also contains Windchill-specific information about a user, group, or organization (for example, the Windchill administrative domain in which the principal resides), and it allows Windchill object references for users, groups, and organizations to be constructed and associated with other classes of Windchill objects (for example, creator, modifier, and owner references for parts and documents).
Windchill Organization Services is responsible for interfacing with LDAP directories to query and manage information about Windchill principals. This includes mapping directory attributes to and from the Windchill classes wt.org.WTUser, wt.org.WTGroup, and wt.org.WTOrganization. It also includes the automatic creation and management of the database entries that reference entries or principals in directory services.
Bundled and Third-Party Directory Services
Windchill obtains information from LDAP directory services about both users and groups as well as system infrastructure. This includes Info*Engine configuration information as well as information about Windchill task delegates and information repositories.
Windchill uses standards-based directory service APIs to communicate with LDAP directory services. Theoretically, therefore, Windchill can access and interact with any directory service that implements the Internet-standard LDAP Version 3 protocol. Differences do exist between different LDAP-based directory products. For example, the scalability, performance characteristics, and extended schema supported by various LDAP directory implementations differ, so Windchill imposes some restrictions on the directory solutions that it supports.
Windchill includes and requires a bundled LDAP directory server named the Windchill Directory Server. The Windchill Directory Server satisfies all of the directory service requirements for Windchill, and can hold information about Windchill users and groups, as well as all of the directory-based infrastructure information for Windchill. In fact, Windchill requires that its infrastructure information be held by the Windchill Directory Server. On the other hand, Windchill allows information about users and groups to be held in another LDAP directory if desired.
Thus, Windchill can be configured to interact with multiple LDAP directory servers simultaneously. At least one of these must be the Windchill Directory Server, and the Windchill Directory Server must contain all of the directory-based infrastructure information for Windchill (for example, Info*Engine configuration properties and Windchill Federation configuration information). Windchill can obtain information about users and groups from any LDAP directory service that complies with Internet LDAP Version 3 standards, including, but not limited to, the Windchill Directory Server. Because Windchill must have the ability to update Windchill group and organization information, this information must be stored in an LDAP server, such as the Windchill Directory Server, that provides full access to Windchill.
Configuration Options Using Enterprise Directory Services
The enterprise directory service configuration options for maintaining user, group, and organization information are as follows:
Option One
Description
Issues
You can import your existing LDAP directory user, group, and organization information into the Windchill Directory Server. As a result, all user, group, and organization information resides in the Windchill Directory Server. For information about importing users and group information, see the Managing a Windchill Directory Server.
A decision must be made regarding the distribution and operational maintenance of the user, group, and organization information. You must determine whether the information is administered in multiple locations and how the information should be distributed to the users of the information. For example, what directory synchronization processes must be established to keep information in the Windchill Directory Server up to date?
Option Two
Description
Issues
User information is maintained in one or more separate LDAP directories. Using this option, the Windchill Directory Server would hold the group and organization information and additional LDAP directories would hold the user information.
This option allows the user information to be split between different directories, thus addressing the Option One issue about maintenance and distribution of the user information in multiple directories.
You must select which user administration tools to use. You can use an LDAP administration tool of your choice to maintain information in the enterprise directory as an alternative to using the Windchill administration tools. However, if you use the Windchill administration tools, then Windchill requires write access to the existing LDAP directory. For additional information about Windchill administration tools, see the Basic Administration.
There are numerous other solutions that require knowledge and expertise regarding the deployment of multiple web servers and multiple LDAP directories in a complex secure environment. Most customers that have an existing LDAP directory will find Option Two to be the least complicated solution. The following topics explain how to implement Option Two.