cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - New to the community? Learn how to post a question and get help from PTC and industry experts! X

Active Directory and JNDI Adpaters

borourke
10-Marble
10-Marble
‎Jan 17, 2014 06:21 PM
‎Jan 17, 2014 06:21 PM

Active Directory and JNDI Adpaters

We are looking to move the Windchill authentication to our local AD, which is house on 2 different servers. Windchill only allows the 1 specific server when setting up the JNDI adapter. The local folks are worried when the targeted AD server is down for any reason, WIndchill would then be unavailable. Has anyone set up some sort of 'round robin' or failover to handle this situation? Thanks in advance, and Happy Mardi Gras to all!


Send lawyers, guns, and money...the sh!t has hit the fan!

Labels:
0 Kudos
Notify Moderator
7 REPLIES 7
SteveVinyard
1-Newbie
1-Newbie
(To:borourke)
‎Jan 17, 2014 07:36 PM
‎Jan 17, 2014 07:36 PM

Hi Bill,

For redundant Servers you need to configure Apache and only one ADS Adapter accordingly:


Apache:doublequoted URL redundant servers are space delimited

<authnprovideralias ldap=" windchill-activedirectory=">
AuthLDAPURL "ldap://server1.company.com:3268 server2.company.com:3268 server3.company.com:3268/DC=company,DC=com?sAMAccountName?sub?(memberOf=CN=PDMLink-User,OU=PTC,OU=Applications,DC=company,DC=com)"
AuthLDAPBindDN "CN=PTC-AD-Connect,OU=Accounts,OU=Common,OU=Resources,DC=company,DC=com"
AuthLDAPBindPassword "5m{6tkBI--[G_8tw"
</authnprovideralias>


In WindchillDS the naming provider URL are server names space delimited with ldap:// prefix in your JNDI adapter

com.company.ADAdapter.java.naming.provider.url=ldap://server1.company.com:3268 ldap://server2.company.com:3268 ldap://server3.company.com:3268

[Description: C:\Documents and Settings\krista.roy\Application Data\Microsoft\Signatures\tristar_email_signature_files\image001.gif]

Steve Vinyard
Senior Solution Architect
0 Kudos
Notify Moderator
egifford
4-Participant
4-Participant
(To:borourke)
‎Jan 20, 2014 09:18 AM
‎Jan 20, 2014 09:18 AM

We ran into the same scenario. We have two AD servers both to split the load and provide redundancy should one fail. What we ended up doing is sort of aliasing a name for the AD server on the Wiindchill server in the local hosts file. This fake server name is then what is used in all the Windchill settings for the hook to AD (JNDI adapter etc). The IPaddress associated with the fake server name in the hosts file is the IP address of the primary AD server wewant to target. Should that AD server go downwe simply edit the hosts file to have the address of the secondary AD server and we're back in business. Not altering settings in Windchill, no restarting Windchill. Simple, not automatic, but simple and effective. Have to give credit to these boards for that solution, though. A while back someone had posted this as one approach to the issue.



Erik

0 Kudos
Notify Moderator
ptc-478260
1-Newbie
1-Newbie
(To:borourke)
‎Jan 20, 2014 11:27 AM
‎Jan 20, 2014 11:27 AM

Why not just use the domain name instead of the specific AD server (instead of dc1.domain.local use domain.local)? Query DNS in your environment for your domain name, you should get back every IP of your DCs. If a DC is decommissioned it should not return in this list. This is very basic round robin DNS load balancing.

Ian
0 Kudos
Notify Moderator
ddemay
1-Newbie
1-Newbie
(To:borourke)
‎Jan 21, 2014 11:11 AM
‎Jan 21, 2014 11:11 AM

By the way, this is not well documented but for security reasons it is
better to communicate to active directory securely. You are transmitting
user passwords in the clear otherwise. Anybody can see them. Therefore, use
of secure port 3269, NOT 3268 is advised. It took me quite awhile to dig
this up because port 636 is typical for other systems (and works for active
directory but not single sign on)



Hope this helps somebody.

David




0 Kudos
Notify Moderator
borourke
10-Marble
10-Marble
(To:borourke)
‎Jan 21, 2014 11:49 AM
‎Jan 21, 2014 11:49 AM

We successfully used the multiple URLs separated by a space. We originally thought this would work, but PTC told us last week this was not supported.


Send lawyers, guns, and money...the sh!t has hit the fan!

0 Kudos
Notify Moderator
PreetiGupta
14-Alexandrite
14-Alexandrite
(To:borourke)
‎Jan 21, 2014 02:55 PM
‎Jan 21, 2014 02:55 PM

We run the following configuration where we do not spell out the server name. It failover automatically.

<authnprovideralias ldap=" windchill-administrativeldap=">
AuthLDAPURL ldap://alconnet.com/dc=alconnet,dc=com?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "cn=us4s1164,ou=Service Accounts,ou=Users & Groups,ou=USIRV,ou=ADC,dc=alconnet,dc=com"
AuthLDAPBindPassword "vv!"
</authnprovideralias>

Thanks,
Preeti
0 Kudos
Notify Moderator
karan1904
1-Newbie
1-Newbie
(To:borourke)
‎Jan 25, 2014 04:38 AM
‎Jan 25, 2014 04:38 AM

I too agree with Ian by quering for a domain instead of querying a particular Domain Controller. With this approach, the only thing you need to take care if a particular DC is undergoing maintainance or not reachable, then request to that DC will fail and users will not be able to login to windchill temporarily.However, on multiple login attempts login will succedd. Make sure that the DC undergoing maintainace is removed from the DNS entrie of your domain and al the DC are available and able to handle request.

0 Kudos
Notify Moderator
Top Tags