Configure Windchill to Use link to Active Directory for Username’ and

Passwords
Create JNDI Adapter Entry
This section explains how to create a JNDI adapter entry and change the default mapping for the user and
group properties. You will need the JNDI Adapter Guide to assist you in creating the JNDI adapter entry.
Complete the following steps to create the JNDI adapter entry and set the attribute properties:

To created the JNDI adapter log into PDMLink as an administrator, click on site, utilities, Info Engine
Administration.

This will launch the Info Engine Admin page in a separate window. Enter in the username and password
(For example: cn=manager, password = Manager).

This will open up the Info Engine Property Administrator. To create the JNDI adapter click on the Create
Entry pull down list and select JNDI Adapter.

This will open up the Property Editor in a new window. At a minimum, the following JNDI attributes must
be defined:
 Service Name - A name you apply to identify your JNDI adapter entry. Keep the default
name
The name you specify for the adapter in this step is used in later steps of this procedure.
 Runtime Service Name – Should match you service name – Keep the default
 Provider URL = ldap://[Link] --- this is the URL for the Corporate LDAP
 Directory System Agent User = to a user who has access to view, you must full qualify the
name
 Search Base = where the company starts searching
 LDAP Search Scope = Subtree

Now scroll down to the bottom of the page and save the settings (this must be done prior to trying to add the
attribute mappings. After saving the JNDI entry you must re-open it to add the attribute mappings, this is
done by scrolling down to the additional properties and adding the following properties to map users only.
The properties names always start with the service name that was just created and then append
“.[Link]” as seen below.
[Link]=group
[Link]=member
[Link]=user
[Link]=sAMAccountName
[Link]=
sAMAccountName
 Note: the [Link].o = company was not documented in the PTC manual but is
required so that Windchill knows to map the organization attribute to the company attribute in AD.
The company attribute value in AD must match the Organization name used in Windchill.

Create Repository Definition

Perform the following instructions to create an information repository definition for the enterprise directory
service. You will use the Task Delegate Administrator to perform this task.

1. Log on to Windchill as a site administrator.

2. Open the Task Delegate Administrator.
– In Windchill PDMLink and Windchill ProjectLink, the link to it is: Site (tab) > Utilities (page) >
Task Delegate Administrator (under the System Administration category).
– In Windchill PDM, the link to it is: Task Delegate Administrator (navigation bar).
3. On the Log On page, specify the values necessary to access the Aphelion LDAP directory.
– Principal: The distinguished name of the LDAP directory manager. (cn=manager)
– Password: Password of the LDAP directory manager. (Manager)
4. Select Manage Repository from the navigation bar.
5. Create a new repository definition by completing the section entitled Create Repository.
a. The Respository Name value is derived directly from the directory service name you chose in the
Create JNDI Adapter Entry step, however, the order of the domain components is reversed. For
example, if the directory service name is [Link], then the repository name should be
[Link].
b. The Repository Type value for an enterprise directory service used by Windchill is always
[Link]-ldap. Select this option from the Repository Type list.
c. In the Webject Processor and Task Processor lists, select the name of your Windchill adapter from
the list.
d. Click Create to create the repository definition.

Modify the [Link] File

The value for the [Link] property is a commaseparated list of JNDI
adapter names. The list is traversed from left to right when searching for users and groups. The first entry in
the list is the JNDI adapter name that was created when Info*Engine was configured and that identifies the
Aphelion Directory. A typical naming convention uses the adapter name in the form of
<domainname>.Ldap, where <domainname> is the name of your domain. For example, if your domain
name is [Link], then the JNDI adapter name set would be
[Link]. If you follow this convention, you will get a unique name.
The [Link] property is located in the [Link]
file. Perform the following instructions to set [Link]
for your directory.
– Use the xconfmanager to change the [Link] property to include your
JNDI adapter name(s). Be sure to retain the existing values by including them in the property value
list. From a windchill shell, execute the following commands:
– To display the current value of the property:
xconfmanager -d [Link]
 – Specify the existing and new value (append new value to the existing property value). You can
specify one or more JNDI adapter Service Names. Use a comma to separate the adapter names. See
the xconfmanager guidelines for specifying multiple property and property value combinations:
xconfmanager -s [Link]=<JNDI adapter service name(s)> -t <
Windchill>/codebase/[Link] –p
Where <Windchill> is the location where Windchill is installed.

Set Authentication in [Link] File

The [Link] file is used to specify the authentication access to the enterprise directory.
If no parameters are added to the MapCredentials file, then the default access to the enterprise directory is
anonymous. In effect, this means that the Windchill administrator would not be able to modify (create,
update user information) the entries in the enterprise directory. It is not absolutely necessary that Windchill
be able to update an enterprise directory. In fact, a typical scenario is one where Windchill is allowed only to
query an enterprise directory. If your site requires directory access that is more restrictive than anonymous,
or if you want the Windchill administrator to perform user updates to the enterprise directory, then you must
set the MapCredentials file to bind Windchill to the enterprise directory.
Complete the following instructions to set authentication. To assist you in editing the
[Link] file, you will need the Info*Engine User’s Guide.
1. Determine the Distinguished Name and password to be used by the Windchill administrative user to
authenticate to the Active Directory LDAP service. The Distinguished Name and password you
specify in this step is used in later steps of this procedure. This needs to be a fully qualified name.
2. To allow Windchill to update users and/or groups, you must ensure that the directory service access
control privileges set up for distinguished name identified in Step 1 (previous step) allows sufficient
privileges to read/create/update/delete Windchill objects in the directory service. Usually, by default,
the privileges set only allow read access. These access control privileges are defined in the directory
service using its own administrative tools. In Active Directory we do not allow anonymous reading
of the user list, therefore the Distinguished Name must have read access to the Active Directory.
3. Modify the [Link] file that is installed with Windchill to include the distinguished
name under which the Windchill administrator will authenticate itself to the directory service. Use
the instructions described in the Info*Engine User’s Guide to edit the credentials mapping task to
 identify administrative user for your LDAP directory. The [Link] file is located in the
<Windchill>/tasks/wt/federation directory. The file identifies a list of Windchill user names that have
administrative privileges and identifies the administrator user name and password used to access a
particular LDAP directory. The out-of-the-box [Link] file contains lines that set up
administrative access to the Aphelion Directory. Add the lines to set up access to your LDAP
directory. Your modifications must create an element whose data consists of the INSTANCE,
DBUSER, and PASSWD attribute values:
a. The INSTANCE attribute value is the JNDI adapter name.
b. The DBUSER and PASSWD attribute values provide a valid user and password that can be
used to update the data in the directory. This is the distinguished name and password
identified in Step 1.

Verification Tests
Complete these steps to implement and verify your changes:
1. Restart the Windchill servers to implement your changes.
2. To verify that your changes have been implemented correctly, you can access the Windchill user and group
administrative feature by login into Windchill as an administrator and going to site utilities and selecting
Principal Administrator, next select “Add Existing Users To Table” this will open up the search for users
window. Next select search, which should return a full list of users from Active Directory.
3. If you do not get the list of users you can turn on verbose logging (in the [Link]) which may show why it
is not working. To turn verbose logging on edit the [Link] file and set [Link]=true. Then restart
the method server.

Configuring Apache to Authenticate with AD

Apache is configured out of the box to authenticate to Aphelion. Prior to changing apache to authenticate to AD you
must add an existing AD user to the “Administration” group in Windchill.
1. Add user to Administration group
a. Log into Windchill as wcadmin ( or the windchill admin that you have created during the
installation)
b. Go to Site, Principle Administrator, Groups, Add Exiting Group to Table

c. Search for the Administrator group

d. Select the Administators group and click on OK

e. Click on the Update Group icon

f. Click on the Members tab

g. Click “Add Existing Principals to Table”
h. Search for the users you want to add to the Administrator group, and select the users you want to add
(you must add at least one)
 i. This user will now be a site administrator and once Apache starts to authenticate to AD this user will
be able add additional administrators.
2. Modifying Apache to authenticate to AD
a. Edit the \ptc\Apache\conf\[Link] with notepad
b. You must modify the all the Auth* properties

Modified Settings
AuthName "Windchill"
AuthType Basic
AuthLDAPAuthoritative on
AuthLDAPBindDN
AuthLDAPBindPassword
AuthLDAPURL
require valid-user

c. AuthLDAPBindDN = name and location of user who has access to browse the AD tree.
d. AuthLDAPBindPassword = password of the user who has access to browse the AD tree
e. AuthLDAPURL = the location of the tree where you want the search to start. The
?sAMAccountName?sub?(objectClass=*) attributes lets Apache know that the UID is mapped to
sAMAccountName, ?sub lets Apache know to do a subtree search, and ?(objectClass=*) lets Apache
know to return all user.
f. Make these changes for all the locations and save the file.
g. Restart Apache and Windchill to put the changes into effect.
3. To test open up IE and log in as the user that was just add to the administrator group in step one and verify
that the user has the “site” tab.

Trouble Shooting
1. After we linked the PDMLink/ProjectLink7.0 solution to authenticate thru active directory, once the
user enter the password wrong the first time, the user and other users won’t be able to login. The
Apache version that will be shipped with the maintenance release M020 should resolve the issue.

2. Make sure that all the users will have a “mail” attribute in their corporate LDAP. A lot of features of
PDMLink/Project requires email address. Also, you won’t be able to search that user without the
email.