Working with LDAP Directory Services
When your Windchill solution was installed, two LDAP directory services were configured:
• Administrative LDAP -- This LDAP is intended to be used for your administrative users and any user-defined groups that you want to have administrative access. The display name for this service uses the reverse of the site domain and ends in .Ldap.
• Enterprise LDAP -- This LDAP is intended to contain your end users and any user-defined groups that you do not want to have administrative access. The display name for this service uses the reverse of the site domain and ends in .EnterpriseLdap.
For example, if your site has a domain of ptcnet.ptc.com, if you supplied "windchill" as your organization name during installation, and if you accepted the default LDAP directory service options during installation, your directory service structure is similar to the following.
The Administrative LDAP includes the system-defined administrative groups.
When you create a new group using the Participant Administration utility, you can select which LDAP it is created under by selecting the desired directory service as shown below:
For example, if you use the Participant Administration utility to create a new group from the site context, and you choose the Administrative LDAP as the Directory Service, the group is added as shown below:
If you use the Administrator to create a new group from the site context and select the Enterprise LDAP, the group is added as shown below:
If you use the Participant Administration utility to create a new user and select the Enterprise LDAP, the user is added as shown below:
When creating an access control rule for a group using the Policy Administration utility, select the directory in which the group resides to find the group, as shown below:
For more information on the
Policy Administration utility, see
Using the Policy Administration utility.
By default, the Windchill search for groups uses a one level search scope in the selected directory service. This means that for Windchill to find the groups, you must store them at the top level established in the service. The Participant Administration utility automatically does this.
If you add groups through a third party tool and the following things are true:
• You do not store the groups in the default search base associated with the service
• You do not want to create a new directory service to map to this additional search base
then you must add the search base to the Additional search bases which need to be queried preference so the search base is included when Windchill searches for groups.
Change the preference value using the site-level Preference Management utility.
For more information on the Preference Management utility, see
About the Preference Management Utility.
| If your site requires changes in your established directory service structure, you should contact PTC Technical Support for assistance. |