Entering Your LDAP Settings
Default LDAP which could be an active directory or other V3 compliant LDAP server is required for managing Windchillusers. It can also optionally manage Windchill groups information.
|
|
The Windchill administrator is responsible to ensure the configuration and management of the LDAP V3 directory is secure. PTC strongly recommends the use of defense-in-depth when configuring the LDAP infrastructure.This includes, but is not limited to:
• Use of strong RBAC (Role-Based Access Control), following the principle of least privilege. Administrative logins should be limited.
• Configure LDAPS, ensuring data is encrypted in transit.
• Restrict remote access, open only the ports and protocols necessary for expected operations.
• Ensure that the latest security patches are applied.
• Host LDAP on a separate server within the corporate network and not on the same server that hosts the Windchill application.
• If LDAP is deployed on same server as the Windchill, block the ports that are not required. Make sure not to expose these ports to the internal corporate network or internet.
• Avoid exposing the LDAP server to the internet.
|
|
|
Depending on the product you are installing, the default LDAP directory structure is different.
|
Starting Windchill 12.0.2.0, PTC Solution Installer provides the option to select LDAP or LDAPS as Directory Access control. To use LDAPS, you must obtain or generate a certificate used to provide proof of server identity. For production use, PTC recommends that a certificate be obtained from a trusted Certificate Authority. For testing purposes, you can generate a self-signed certificate using any supported utility of Java.
Configuring your system to use LDAPs enables encryption of LDAP data during any communication with the directory server (between Azure Active Directory/Active Directory and the HTTP server). Windchill now supports authentication and communication with Azure Active Directory. To support Azure Active Directory for configuring SSO or to have Azure Active Directory as directory server, you are required to install Windchill with LDAPS. Windchill does not support direct communication with Azure Active Directory repository using LDAP/LDAPs which is the only supported protocol. You are required to configure Azure Active Directory Domain Services (AADDS) to support authentication and communication. AAD principals are synced to AADDS. If you are using Microsoft Active directory/ AADDS, userID (UID) attribute is required to be mapped to sAMAccountName or userPrincipalName. The mapping depends on your authentication configuration of using SSO or basic authentication respectively.
The Azure Active Directory Domain Services AADDS cannot authenticate the guest users. AADDS can authenticate only the users with User type as Members.
Make sure to provide correct certificate information or the installation is likely to fail. For cluster setup on
Unix operating system, make sure to copy all the certificates at the same location for all the cluster nodes. It is suggested to keep the certificates inside <APACHE_HOME>. PSI allows you to specify the following entities on
Unix operating system:
Input values for Unix Operating System
|
Option
|
Description
|
|
Location
|
The location of the trusted certificate/self-signed certificate that resides in the JVM keystore at > . Make sure that you provide a valid certificate with an appropriate extension. This field should not be empty.
|
|
Type
|
Type of the certificate encryption.
|
|
Password
|
This is required only if an associated password is available.
|
|
LdapVerify Server Certificate
|
Option to enable or disable the verification of server certificate. Default value is Off.
|
In the Define Settings section, enter your LDAP settings:
|
Option
|
Description
|
|
LDAP Service
|
Select this option if the enterprise node is ADS. Otherwise, select other V3 compliant LDAP.
As soon as you select ADS, the following options later in this section are highlighted. See Default User Mappings for ADS Attributes.
|
|
LDAP Adapter Name
|
Single LDAP Adapter can be configured.
|
|
LDAP Server Host Name
|
<hostname>.<domain> is the default.
|
|
Base Distinguished Name for LDAP Users
|
The base distinguished name for the LDAP Users. The setup program creates the directory using the distinguished name that you specify.
|
The following default values are set for you during the new installation. You cannot change these values during a new installation.
|
Option
|
Default
|
Description
|
|
LDAP Server Port
|
389
|
Defines the port number that the LDAP listens on for requests.
|
|
LDAP User Distinguished Name
|
|
Specifies a user node in the LDAP hierarchy that contains all users in the directory that should be visible to Windchill.
|
|
LDAP Password
|
|
LDAP administrator’s password.
|
Define the settings for the default LDAP server:
LDAP Service
|
Option
|
Default
|
Description
|
|
LDAP Service
|
Active Directory Service (ADS)
|
Select this option if the enterprise node is ADS. Otherwise, select other V3 compliant LDAP.
As soon as you select ADS, the following options later in this section are highlighted. See Default User Mappings for ADS Attributes.
|
|
Windchill Privileges for Repository
|
Read Only.
|
You can opt for load demo user only if Read and Write options are selected.
|
|
Repository Contains
|
Users
|
Select the option as per the requirement. Select either the Users or Groups check box.
Depending on the option selected, the application will consider the users or groups defined in this Enterprise LDAP when determining access to Windchill.
If the repository is read-only, the application will not attempt to manage users and groups in the repository.
|
|
LDAP Connection
|
Bind as User
|
Specifies the bind method used to connect to the Enterprise repository.
Two options are available:
• Bind as Anonymous—this option does not require a user name to read the contents of the repository.
• Bind as User—this option binds the specified user to the directory. This user must exist in the LDAP.
|
|
User Filter
|
|
To filter users.
Only those users who are selected here are searchable through Windchill
Examples:
• If the Enterprise Node is V3 compliant LDAP:
◦ uid= *(searches for all users)
or
◦ uid= ne* (searches for all users with the name starting with ne).
• If the Enterprise Node is ADS:
◦ cn=* (searches for all users)
or
◦ cn=ne*(searches for all users with the name starting with ne)
|
|
You can modify this criteria after installation by going to > > and selecting the respective Enterprise Adapter.
|
|
|
Group Filter
|
|
To filter groups.
Only those groups who are selected here are searchable through Windchill.
Examples:
• If the Enterprise Node (LDAP) is:
◦ cn=*(Searches for all Groups)
or
◦ cn=gr* (Searches for all Groups with the name starting with gr).
• If the Enterprise Node is ADS:
◦ cn=*(Searches for all Groups)
or
◦ cn=gr*(Searches for all Groups with the name starting with gr), and so on.
|
|
You can modify this criteria after installation by going into > > and selecting the respective Enterprise Adapter.
|
|
LDAP Server Attribute Mapping to Windchill Attributes
Attribute mapping is configured in the LDAP Adapters. The values supplied here are stored in the LDAP Adapter definition. An option provides automatic addition of a default set for ADS. ADS can not be used without specifying a default set. The defaults can be adjusted to suit a site’s needs. If a site requires, mappings can be defined in any configured LDAP Adapter by consulting
Configuring Additional Enterprise Directories.
Default User Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name/value.
|
Option
|
Default
|
|
Object Class
|
user
|
|
Organization Name
|
company
|
|
Unique Identifier
|
sAMAccountName
|
|
Unique Identifier Attribute
|
sAMAccountName
|
|
Common Name
|
cn
|
|
E-Mail Address
|
mail
|
|
Surname
|
sn
|
|
User Certificate
|
userCertificate
|
|
Telephone Number
|
telephoneNumber
|
|
Fax Number
|
facsimileTelephoneNumber
|
|
Mobile Phone Number
|
mobile
|
|
Postal Address
|
postalAddress
|
|
Preferred Language
|
preferredLanguage
|
|
Additional Attribute
|
objectGUID
|
Descriptions for these fields can be found in
Configuring Additional Enterprise Directories.
|
|
By default, both the unique identifier attribute and the unique identifier can have the same value; however, the unique identifier attribute must always point to an attribute that holds a unique value. If you do not have multiple subdomains in your ADS configuration, and you know that the sAMAccountName is unique within a single domain, then you can use the default value for your unique identifier attribute. If the values for your sAMAccountName are not unique, then you should use the userPrincipalName for your unique identifier attribute.
|
Default Group Mappings for ADS Attributes
The "Option" column specifies the attribute name expected by Windchill and the "Default" column specifies the ADS attribute name.
|
Option
|
Default
|
|
Unique Identifier Attribute
|
sAMAccountName
|
|
Description
|
description
|
|
Object Class
|
group
|
|
Unique Member
|
member
|
Descriptions for these fields can be found in
Configuring Additional Enterprise Directories.
