Scribd
Upload
143 views70 pages

WCDirectoryServerAdminGuide PDF

Uploaded by

Iyswarya
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
143 views70 pages

WCDirectoryServerAdminGuide PDF

Uploaded by

Iyswarya
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Windchill® Directory Server

Administrator's Guide
Windchill 9.1
Pro/INTRALINK® 9.1
Arbortext® Content Manager™
Windchill PDMLink®
Windchill ProjectLink™
April 2010
Copyright © 2009 Parametric Technology Corporation and/or Its Subsidiary
Companies. All Rights Reserved.
User and training guides and related documentation from Parametric Technology Corporation and its
subsidiary companies (collectively "PTC") are subject to the copyright laws of the United States and other
countries and are provided under a license agreement that restricts copying, disclosure, and use of such
documentation. PTC hereby grants to the licensed software user the right to make copies in printed form of
this documentation if provided on software media, but only for internal/personal use and in accordance with
the license agreement under which the applicable software is licensed. Any copy made shall include the PTC
copyright notice and any other proprietary notice provided by PTC. Training materials may not be copied
without the express written consent of PTC. This documentation may not be disclosed, transferred, modified,
or reduced to any form, including electronic media, or transmitted or made publicly available by any means
without the prior written consent of PTC and no authorization is granted to make copies for such purposes.
Information described herein is furnished for general information only, is subject to change without notice,
and should not be construed as a warranty or commitment by PTC. PTC assumes no responsibility or liability
for any errors or inaccuracies that may appear in this document.
The software described in this document is provided under written license agreement, contains valuable trade
secrets and proprietary information, and is protected by the copyright laws of the United States and other
countries. It may not be copied or distributed in any form or medium, disclosed to third parties, or used in any
manner not provided for in the software licenses agreement except with written prior approval from PTC.
UNAUTHORIZED USE OF SOFTWARE OR ITS DOCUMENTATION CAN RESULT IN CIVIL
DAMAGES AND CRIMINAL PROSECUTION. PTC regards software piracy as the crime it is, and we view
offenders accordingly. We do not tolerate the piracy of PTC software products, and we pursue (both civilly
and criminally) those who do so using all legal means available, including public and private surveillance
resources. As part of these efforts, PTC uses data monitoring and scouring technologies to obtain and transmit
data on users of illegal copies of our software. This data collection is not performed on users of legally
licensed software from PTC and its authorized distributors. If you are using an illegal copy of our software
and do not consent to the collection and transmission of such data (including to the United States), cease using
the illegal version, and contact PTC to obtain a legally licensed copy.
For Important Copyright, Trademark, Patent, Licensing and Data Collection
Information: For Windchill products, select About Windchill at the bottom of the product page. For
InterComm products, on the Help main page, click the link for Copyright 20xx. For other products, click
Help > About on the main menu of the product.
UNITED STATES GOVERNMENT RESTRICTED RIGHTS LEGEND
This document and the software described herein are Commercial Computer Documentation and Software,
pursuant to FAR 12.212(a)-(b) (OCT’95) or DFARS 227.7202-1(a) and 227.7202-3(a) (JUN’95), and are
provided to the US Government under a limited commercial license only. For procurements predating the
above clauses, use, duplication, or disclosure by the Government is subject to the restrictions set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS 252.227
7013 (OCT’88) or Commercial Computer Software-Restricted Rights at FAR 52.227 19(c)(1)-(2) (JUN’87),
as applicable. 01162009
Parametric Technology Corporation, 140 Kendrick Street, Needham, MA 02494 USA
Contents

Change Record ................................................................................................... 4


About This Guide........................................................................................................ 7
Migrating from Aphelion to Windchill Directory Server ..................................................11
Prerequisites ..................................................................................................... 12
Migration Procedure........................................................................................... 12
Managing a Windchill Directory Server....................................................................... 23
Updating Windchill Directory Server to the Latest Maintenance Release................ 24
Starting the Control Panel................................................................................... 27
Starting the Windchill Directory Server................................................................. 27
Stopping the Windchill Directory Server ............................................................... 28
Disabling or Enabling Windchill Directory Server as a Windows Service ................ 28
Controlling Access to the Windchill Directory Server Commands........................... 29
Installing the Windchill Directory Server ............................................................... 29
Creating Additional Base DNs............................................................................. 32
Verifying the Windchill Directory Server Installation .............................................. 32
Uninstalling the Windchill Directory Server........................................................... 32
Configuring a Windchill Directory Server .................................................................... 35
Using the dsconfig Command ............................................................................. 36
Setting Windchill Directory Server Password Polices ............................................ 36
Managing the Windchill Directory Server Logging................................................. 50
Managing User Accounts .......................................................................................... 55
Displaying the Status of User Accounts ............................................................... 56
Locking and Unlocking User Accounts................................................................. 56
Resetting User Passwords.................................................................................. 57
Managing Directory Data........................................................................................... 59
Adding a New Entry ........................................................................................... 61
Deleting an Entry ............................................................................................... 62
Backing up LDAP Directory Data ........................................................................ 62
Restoring Directory Data .................................................................................... 63
Exporting Entries to an LDIF File......................................................................... 63
Importing Entries................................................................................................ 64
Viewing Entries .................................................................................................. 64
Appendix A. Aphelion Directory Server Activities ......................................................... 65

3
Change Record
The following tables list the major changes made in this guide for Windchill releases.

Changes for 9.1 M050

Chapter Description
Managing Directory Data Updated the following section to include
references to more information on data
backup:
Backing up LDAP Directory Data on page 62

Changes for 9.1 M040

Chapter Description
Migrating from Aphelion to Windchill Updated the following section to include the
Directory Server LDAP Base DN installation field, which was
previously named LDAP Directory Server
Suffix:
Replacing Aphelion with Windchill Directory
Server on page 13
Managing a Windchill Directory Server Added the following sections to describe the
procedure for updating an existing Windchill
Directory Server to the latest maintenance
release:
● Viewing Windchill Directory Server
Configuration Settings on page 26
● Updating Windchill Directory Server to
the Latest Maintenance Release on page 24
Updated existing sections to reflect the
addition of the procedure to update the
Windchill Directory Server.
Updated the following sections to reflect the
installation change that no longer installs
Windchill Directory Server as a Windows
service on Windows platforms:
● Installing the Windchill Directory Server
on page 29
● Starting the Windchill Directory Server
on page 27
● Disabling or Enabling Windchill Directory
Server as a Windows Service on page 28
● Uninstalling the Windchill Directory
Server on page 32

4 Windchill® Directory Server Administrator's Guide


Changes for 9.1 M040 (continued)

Chapter Description
Managing a Windchill Directory Server Updated the following section to reflect the
(continued) Windchill Directory Server installation change
in the LDAP Base DN installation field (which
was previously named LDAP Directory
Server Suffix):
Installing the Windchill Directory Server on
page 29

5
About This Guide

The Windchill Directory Server is the LDAP directory server that is bundled with
Windchill and is powered by OpenDS technology. This directory server replaces
the Aphelion Directory server that was bundled with previous releases of Windchill.
Windchill can use the Windchill Directory Server for maintaining users and user-defined
groups who have access to Windchill. The basic Windchill architecture includes the
LDAP directory server that is bundled with Windchill and can optionally include other
enterprise LDAP directory servers.
The Windchill Directory Server Administrator's Guide describes when and how to migrate
LDAP information from an existing Aphelion Directory Server to the Windchill Directory
Server. It also has reference information for configuring your Windchill Directory Server
and managing the data in the directory.
Check for updates to this guide using the Reference Documents link on PTC web site,
listed later in this chapter.
The intended audience for this guide is the person who is responsible for installing and
managing the Windchill Directory Server. The guide assumes that you have the following
knowledge and skills:
● Familiarity with LDAP directory server technology.
● Familiarity with the PTC Solution Installer (PSI).
● Familiarity with using command line tools.
● Access to the internet for getting to the OpenDS wiki.

Related Documentation
The following documentation may also be helpful:
● Windchill Installation and Configuration Guide - Advanced
● Windchill Installation and Configuration Guide - Updating Existing Installation
● Windchill System Administrator's Guide

7
● OpenDS 1.2 wiki ([Link]

Note
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.
If a guide you are interested in reading is not installed at your site, see Documentation for
PTC Products on page 8.

Technical Support
Contact PTC Technical Support via the PTC Web site, phone, fax, or e-mail if you
encounter problems using this product or the product documentation.
For complete details, refer to Contacting Technical Support in the PTC Customer Service
Guide. This guide can be found under the Related Links section of the PTC Web site at:
[Link]
The PTC Web site also provides a search facility for technical documentation of particular
interest. To access this page, use the following URL:
[Link]
You must have a Service Contract Number (SCN) before you can receive technical
support. If you do not have an SCN, contact PTC Maintenance Department using
the instructions found in your PTC Customer Service Guide under Contacting Your
Maintenance Support Representative.

Documentation for PTC Products


You can access PTC documentation using the following resources:
● Windchill Help Page -- The Windchill Help Center is an online knowledgebase that
includes a universal index of all Windchill documentation; you can access it by
clicking a help icon or the Help link in any Windchill page header. You can search all
of the documentation at once, or use the advanced search capability to customize your
search. Once you have located a topic you want to reference later, you can bookmark
that topic for quick access and even save your own comments about the topic.
● Reference Documents Web Site -- All books are available from the Reference
Documents link of the PTC Web site at the following URL:
[Link]
A Service Contract Number (SCN) is required to access the PTC documentation from
the Reference Documents Web site. For more information on SCNs, see Technical
Support:
[Link]

8 Windchill® Directory Server Administrator's Guide


Comments
PTC welcomes your suggestions and comments on its documentation. Send comments
to the following address:
documentation@[Link]
Include the name of the application and its release number with your comments. For
online books, provide the book title.

About This Guide 9


Migrating from Aphelion to
1
Windchill Directory Server

Prerequisites........................................................................................................ 12
Migration Procedure ............................................................................................ 12

If you are updating or upgrading from a previous release of Windchill that used Aphelion
as its LDAP directory, you must migrate your LDAP information to the Windchill
Directory Server.

Note
If you are upgrading from a previous Windchill release and are using Aphelion, review
this chapter before upgrading Windchill or installing the Windchill Directory Server. In
particular, note that the Windchill Directory Server must not be installed as part of the
Windchill upgrade process.

11
Prerequisites
Note
If you are installing Windchill for the first time or are not currently using the Aphelion
Directory Server, you can skip the information in this chapter.
Starting with Windchill 9.0 M080 and Windchill 9.1 M030, the LDAP directory server
packaged with the release is the Windchill Directory Server rather than the Aphelion
Directory Server.
If you are upgrading from an earlier Windchill installation, and you are currently using the
Aphelion Directory Server, complete the following steps:
1. Upgrade your Windchill solution to the new release. Do not install the Windchill
Directory Server as part of this step. In the Windchill Directory Server drop-down
menu, select Configure to an existing instance. Later in the installation, you will
need to provide the port number and other configuration information for the existing
Aphelion Directory Server.
2. After the Windchill solution upgrade has been successfully completed and Windchill
is running properly with Aphelion, perform the migration procedure documented
in this chapter.
If you are updating your instance of Windchill by applying a maintenance release, and you
are currently using the Aphelion Directory Server, follow these steps:
1. Update Windchill to this new maintenance release. You will not be asked to install
the Windchill Directory Server.
2. After the Windchill update has been successfully completed and Windchill is running
properly with Aphelion, perform the migration procedure documented in this chapter.

Migration Procedure
The Aphelion Directory Server is being replaced with the Windchill Directory Server.
This section describes how to migrate existing Aphelion LDAP data from the Aphelion
LDAP directory to the new Windchill Directory Server and to modify your existing
system configuration to remove references to Aphelion. The migration is a manual
procedure performed before the current Windchill instance can be switched to use the
Windchill Directory Server.
When your Windchill solution was installed using Aphelion, Windchill was configured to
access Aphelion using configuration properties that defined the host, the port, a directory
administrator, and a password. Windchill does not require reconfiguration if both of the
following are true:
● You install the Windchill Directory Server using these same configuration properties.
● You migrate the Aphelion data to the Windchill Directory Server.
The tree structure of the Windchill Directory Server data must match the Aphelion LDAP
directory data. This structure is maintained by the migration procedure.

12 Windchill® Directory Server Administrator's Guide


Replacing the Aphelion Directory Server with the Windchill Directory Server requires
completing the following main tasks that are described in detail in the sections that follow:
1. Replace Aphelion with the Windchill Directory Server.
See Replacing Aphelion with Windchill Directory Server on page 13.
2. Import Aphelion data into the Windchill Directory Server.
See Importing Exported Data into the Windchill Directory Server on page 16.
3. Reconfigure Windchill (required only when you do not use the same host, port, and
LDAP administrator distinguished name and password for the Windchill Directory
Server installation as had been used for Aphelion).
See Manually Reconfiguring Windchill on page 17.
4. Verify the Windchill Directory Server installation.
See Verifying the Windchill Directory Server Installation on page 32.
5. Clean up system files and uninstall Aphelion.
See Cleaning Up Apache System Files and Uninstalling Aphelion on page 21.

Replacing Aphelion with Windchill Directory Server


To replace Aphelion with the Windchill Directory Server, follow these steps:
1. Determine the base distinguished names (Base DNs) that must be defined in the
Windchill Directory Server.

Note
The term Base DN used here refers to the highest level entry in the hierarchy of entries
held by an LDAP server. This term is related to the LDAP term Naming Context, which
refers to the set of entries, starting with the Base DN, that is held by an LDAP server.
The Base DN is sometimes called a suffix.
Use the following procedure to determine these Base DNs:
a. Open the LDAP browser. For information about how to open the browser, see
Starting the LDAP Browser on page 69.
The LDAP browser displays the Connect window.
b. Select the preferred connection name from the Session list and click Connect.
The BT LDAP Browser/Editor window opens.
c. Expand the Root DSE folder to see the entries at the top of the directory tree and
immediately below the Root entry. A Base DN must be defined in the Windchill
Directory Server for each of these entries.

Note
The cn=accessControlSubentry is an Aphelion-specific entry and should not be
used to define the Windchill Directory Server Base DNs.

Migrating from Aphelion to Windchill Directory Server 13


If only one Base DN needs to be defined, the window is similar to the following:

In your window, the Base DN that you are using is shown in place of
“o=MyCompany”.
If multiple Base DNs must be defined, the window shows multiple entries below
the cn=accessControlSubentry entry. For example, the following window shows
two Base DNs: dc=com and o=MyCompany:

If your window shows multiple entries below the cn=accessControlSubentry


entry, you must define more than one Base DN in the Windchill Directory Server.
However, only one Base DN can be defined during installation. When installing
Windchill Directory Server, specify one Base DN in the LDAP Base DN field,
replacing o=ptc.
If you need to define additional Base DNs, you must manually create them after
the installation is complete. For more information on this procedure, see Creating
Additional Base DNs on page 32.
Note
Be sure to create additional Base DNs before importing data.
2. Shut down Windchill and then Aphelion.

14 Windchill® Directory Server Administrator's Guide


You can use the windchill command to shut down Windchill. For windchill command
details, see the Windchill Installation and Configuration Guide - Advanced.
For details on shutting down Aphelion, see Starting and Stopping the Aphelion
Directory Server on page 65.
3. Use the Aphelion export utility to export all contents of the Aphelion LDAP directory
to an LDIF file.
For details, see Exporting Existing LDAP Directory Content on page 67.
The resulting [Link] file contains all the data from the Aphelion LDAP directory.
4. Examine the PTCLdap_lde.conf file to determine the port number, the LDAP
administrative user name, and the administrative password.
This file specifies the configuration information Aphelion uses when it starts, and
PTC recommends that the same information be used when installing the Windchill
Directory Server.
The following are typical file paths for the PTCLdap_lde.conf file:
● Windows
R:\usr\var\PTCLdap\PTCLdap_lde.conf
● UNIX
/usr/var/PTCLdap/PTCLdap_lde.conf
a. Open the PTCLdap_lde.conf file in a text editor.
b. Locate the port number. For example:
port 389

Use the same port number when you install the Windchill Directory Server using
PTC Solution Installer (PSI).
c. Under the lde database definitions heading, locate the rootdn and the rootpw.
For example:
rootdn “cn=Manager”
rootpw password

When installing the Windchill Directory Server, put the rootdn value in the
LDAP Server Administrator Distinguished Name field and the rootpw value
in the LDAP Server Administrator Password and the Confirm LDAP Server
Administrator Password fields.
If you decide that the Windchill Directory Server needs to be installed on a different
host or port, or with a different LDAP administrator or password, you can complete the
migration procedure as documented using whatever host, port, or LDAP administrator
you want, but you must also complete additional steps to reconfigure Windchill. See
Manually Reconfiguring Windchill on page 17.
5. Install the Windchill Directory Server as described in Installing the Windchill
Directory Server on page 29.
6. The Windchill Directory Server installation includes an LDAP data migration tool.
The tool removes Aphelion proprietary attributes and decrypts user passwords from
the exported Aphelion LDIF file.

Migrating from Aphelion to Windchill Directory Server 15


Execute the LDAP data migration tool by entering the following command from
a windchill shell:
java -jar <WindchillDS>/tools/[Link]
-input <ldif_from_Aphelion> -output <file_to_import_into_WindchillDS>

where <WindchillDS> is the directory where the Windchill Directory Server is


installed.
Use the file created in this step in the next task.

Importing Exported Data into the Windchill Directory


Server
After the Aphelion data has been exported from Aphelion and cleaned up to remove
Aphelion-specific information, you can import the resulting LDIF file into the Windchill
Directory Server.
Note
Before importing data, ensure that you have all required Base DNs created in the
Windchill Directory Server. One Base DN is defined during the installation. Additional
Base DNs must be manually created. See Replacing Aphelion with Windchill Directory
Server on page 13.
Use the following steps to import the exported data:
1. Start the Windchill Directory Server control panel by running the following command.
Log in as the directory administrator.
● Windows
<WindchillDS>\server\bat\[Link]
● UNIX
<WindchillDS>/server/bin/control-panel
2. Click Stop to stop the Windchill Directory Server.
3. Import the Aphelion LDAP directory entries into the Windchill Directory Server by
completing the following steps:
a. Select Directory Data ▶ Import LDIF in the control panel.
b. Ensure that the Backend drop-down list is set to userRoot.
c. In the File to Import field, enter the location of the migrated LDIF file from a
previous task.
d. For Import Type, use the default (Overwrite Any Existing Data) when importing
data that was exported from Aphelion into a new Windchill Directory Server.
If you have existing data that you do not want replaced, you can select Append to
Existing Data; however, do not also select Replace Entries that have Matching
DN’s with Imported Values.
Note
Selecting Replace Entries that have Matching DN’s with Imported Values
makes the resulting node structure unusable. Currently, there is no way to append
new entries to existing data and also replace existing entries with imported values.

16 Windchill® Directory Server Administrator's Guide


e. Select Write Rejected Entries to a File and browse to select a file path. The file
path should be a full file path.
f. Select Write Skipped Entries to a File and enter a file path. The file path should
be a full file path.
g. To perform the import, click OK.
h. Check the rejected file and skipped file to determine if any entries failed to import.
Only a few entries, if any, should appear. If they are Aphelion-specific, you can
ignore the entries. If they are entries for users, groups, or any other Windchill data,
correct the entries and ensure that the entries are added before continuing.
The output from the import includes a completion message and a count of the
number of entries imported.

Note
An Aphelion LDIF file normally contains an entry with objectclass=accessControl-
Subentry. This is an Aphelion-only entry and is not valid in theWindchill Directory
Server; therefore, it appears in the rejected file and can be ignored.
Some sites may have created password policies which would cause entries with
objectClass=pwdPolicy to be rejected. These rejected files can be ignored during
the import operation. For more information on password policies, see Setting
Windchill Directory Server Password Policies on page 36.
If rejected entries are related to users, groups, or any other Windchill data, correct
the problem in the LDIF file and repeat the steps to import it.
After the import step has succeeded, the Windchill Directory Server contains all
the data that was in the Aphelion directory, including all the entries that comprise
the hierarchy in the directory information tree.

Manually Reconfiguring Windchill


Note
If you have followed the recommended migration steps that have you use the same host,
port, and LDAP administrative user that were used with Aphelion, you can skip this
section. For more information, see Migration Procedure on page 12.
Windchill is configured to connect to an LDAP server. If, as part of your migration
from Aphelion to Windchill Directory Server, you have configured any of the following
settings to values that are different from the values used for Aphelion, you must manually
reconfigure your Windchill system:
● Windchill Directory Server host
● Windchill Directory Server port

Migrating from Aphelion to Windchill Directory Server 17


● LDAP administrative distinguished name (DN) or password

Note
The data content of the new Windchill Directory Server must be identical to the data
content of your existing Aphelion Directory Server. This includes the hierarchical tree
structure and the contents of the entries.
To manually reconfigure your Windchill system, complete those tasks from the following
list that are appropriate for your Windchill system:
● Update the JNDI adapter entries in the new Windchill Directory Server that were
imported from Aphelion. This task is required if you have changed the LDAP host or
port.
See Updating JNDI Entries on page 18.
● Update Windchill properties files. This task is required if you have changed the LDAP
host or port or have changed the LDAP administrative DN or password.
See Updating Windchill Properties on page 19.
● Reconfigure Apache or the web server being used. This task is required if you have
changed the LDAP host or port.
See the documentation for the web server that you are using to determine the
reconfiguration procedure.
For complete Apache reconfiguration information, see the Windchill Installation and
Configuration Guide - Advanced.
● If you have installed other products that directly connect to the LDAP server, you may
need to reconfigure these products as well.
To determine if changes are required, see the appropriate documentation for those
products. For example, if you have installed Windchill Business Reporting, see the
Windchill Installation and Configuration Guide - Advanced for information on the
LDAP configuration that is required for that product. For third-party products such as
the Sun Java Web Server and IBM HTTP Server, see your product documentation.
If your system is set up in any of the following ways, be aware that you may need to make
modifications to the instructions provided in this section:
● The system uses a separate enterprise LDAP directory.
● The system has set up non-privileged LDAP access.
● The system has other Windchill configuration changes affecting your LDAP server.

Updating JNDI Entries


The JNDI adapter entries in your LDAP directory provide the attributes that Windchill
uses to access other services such as LDAP. If you change the LDAP host or port number,
you must update the appropriate Windchill JNDI adapter entries.
Typically, you need to update three JNDI adapter entries. To locate the entries, start the
Windchill Directory Server control panel and browse the directory to find the entries. The
three entries are located under an entry with a DN similar to:
dc=MyHostName,dc=MyCompany,dc=com,cn=configuration,cn=Windchill_9.x,

18 Windchill® Directory Server Administrator's Guide


o=MyCompany

The three entries you need to modify have names similar to:
ptcServiceName=[Link]
ptcServiceName=[Link]
ptcServiceName=[Link]-pending

where [Link] represents the inverted format of the fully qualified server
domain (such as [Link]) and MyHostName represents the host name of the
Windchill server (such as host123). For information about identifying domain and host
names, see the Windchill Installation and Configuration Guide - Advanced.
Each of the previous entries contains a ptcProperty attribute with several values. The
content of the appropriate ptcProperty value varies depending on the entry you are
modifying. Modify the value of the ptcProperty attribute that contains the LDAP URL to
reflect the new host name and port number. When modifying the value, change only the
host and port number of that value.
Review the following samples to help determine the appropriate value of the ptcProperty
attribute for each of the above three entries on your system:
● For the ptcServiceName=[Link] entry, the value is similar to:
[Link]=ldap://
<fully_qualified_hostname>:<LDAP_port_number>
● For the ptcServiceName=[Link] entry, the
value is similar to:
[Link]=ldap://
<fully_qualified_hostname>:<LDAP_port_number>
● For the ptcServiceName=[Link]-pending
entry, the value is similar to:
[Link]=ldap://
<fully_qualified_hostname>:<LDAP_port_number>

Note
Port 389 is the default. If no port number is present, 389 is assumed.
Replace the existing <fully_qualified_hostname> and
<LDAP_port_number> in the JNDI adapter entries with the new values
for your Windchill Directory Server.

Updating Windchill Properties


To reflect any changes to the LDAP host or port, or changes to the LDAP administrative
DN or password, you must update Windchill properties files.
Updating properties involves using the xconfmanager utility to update your [Link]
file. The xconfmanager commands shown have been formatted to fit the page; enter
each command on one line.
PTC recommends that you make a backup copy of your [Link] file before making any
changes. Then, if you encounter problems, you can restore the original [Link] file.

Migrating from Aphelion to Windchill Directory Server 19


Review the following steps to determine how to make the required updates on your system.

Note
The specific changes you need to make depend on your Windchill configuration and any
changes you have made to it.
The following steps illustrate how to make updates to an out-of-the-box installation:
1. Navigate to the Windchill installation directory and create a backup copy of your
[Link] file.
2. Start a windchill shell.
3. From the windchill shell, update the Windchill properties in the using xconfmanager
commands similar to the following:
● For changes to the port or host of the LDAP server:
xconfmanager -s
"[Link]=<new-fully-qualified-LDAP-hostname>"
-t "codebase/WEB-INF/[Link]"

xconfmanager -s "[Link]=<new-LDAP-port-number>"
-t "codebase/WEB-INF/[Link]"

xconfmanager -s “[Link]=ldap://
<new-fully-qualified-LDAP-hostname>:<new-LDAP-port-number>”

● For changes to the LDAP administrative DN or password:


xconfmanager -s “[Link]=<new-LDAP-manager-password>”
-t “codebase/WEB-INF/[Link]"

xconfmanager -s “[Link]=<new-LDAP-manager-DN>”
-t “codebase/WEB-INF/[Link]"

Updating the [Link] file also updates mapcredentials values for both
the Ldap adapter and the [Link]-pending adapter.
4. If you have made changes to the LDAP administrative DN or password, you also need
to use the xconfmanager to modify the [Link] file as follows:
● Remove an extraneous entry for the Ldap adapter by entering a command similar
to the following:
xconfmanager --remove "[Link]=
[Link]^cn=OldManager^oldpassword"
-t "codebase/WEB-INF/[Link]"
● Remove the old information for the enterprise LDAP connector and add new
information by entering commands similar to following.

Note
Skip this step if you are using a separate enterprise LDAP directory server.
xconfmanager --remove "[Link]=
[Link]^cn=OldManager^oldpassword"
-t "codebase/WEB-INF/[Link]"

xconfmanager --add "[Link]=


[Link]^cn=NewManager^newpassword"

20 Windchill® Directory Server Administrator's Guide


-t "codebase/WEB-INF/[Link]"

Note
In these commands, replace OldManager, NewManager, oldpassword, and
newpassword with the appropriate values for your Windchill Directory Server. Be
sure to keep the ^ character between the values.
5. Apply all of the changes you have made to the [Link] file to the corresponding
properties files by entering the following command:
xconfmanager -p

Cleaning Up Apache System Files and Uninstalling


Aphelion
Complete the following steps to clean up any system configuration files that were used
with Aphelion and to uninstall Aphelion:
1. If you installed the Aphelion Web Tools and are using the Apache Web server, update
the Apache configuration as follows so that the Aphelion configuration file is not
referenced:
a. Locate the following Apache configuration file on the instance of Apache being
used by Windchill and Aphelion:
<Apache>/conf/extra/[Link]
where <Apache>is the Apache installation directory.
b. Open the [Link] file in a text editor.
c. Add the comment character to the beginning of the [Link] line in the
file as follows:
#Include conf/extra/[Link]
d. Save your changes and close the file.
Updates to the Apache [Link] file are in effect the next time you start
Apache.
Note
After making this change, you can no longer use the Aphelion Web Tools.
If you are using a Web server other than Apache with the Aphelion Web Tools, check
your Web server configuration to ensure that any references to the web tools have
been removed.
2. If you are using UNIX and have created a script that starts the Aphelion every time
you reboot your machine, disable the script.
For details on how to generate a new shell script to start, stop, and restart the Windchill
Directory Server, see Starting the Windchill Directory Server on page 27.
3. Uninstall Aphelion.

Migrating from Aphelion to Windchill Directory Server 21


For details, see Uninstalling Aphelion on page 68.

Note
You may want to leave the Aphelion Directory installed for a period of time as a
backup. If you choose to do so, modify the port number in the Aphelion configuration
file, PTCLdap_lde.conf, so the Aphelion and the Windchill Directory Server ports
do not conflict.

22 Windchill® Directory Server Administrator's Guide


Managing a Windchill Directory
2
Server

Updating Windchill Directory Server to the Latest Maintenance Release ........... 24


Starting the Control Panel ................................................................................... 27
Starting the Windchill Directory Server................................................................ 27
Stopping the Windchill Directory Server .............................................................. 28
Disabling or Enabling Windchill Directory Server as a Windows Service............ 28
Controlling Access to the Windchill Directory Server Commands ....................... 29
Installing the Windchill Directory Server .............................................................. 29
Creating Additional Base DNs ............................................................................. 32
Verifying the Windchill Directory Server Installation ............................................ 32
Uninstalling the Windchill Directory Server.......................................................... 32

The Windchill Directory Server management utility, called the control panel, provides a
graphical user interface (GUI) from which you can perform common Windchill Directory
Server management activities.
To use the Windchill Directory Server control panel, you must log on to a machine
as a user who has access to the Windchill Directory Server installation. The Windchill
Directory Server control panel does not support remote access. Once you have logged
on to the machine, you must start the control panel and authenticate using the Windchill
Directory Server Administrator DN and password that was defined when you installed
the Windchill Directory Server.
For further information on the Windchill Directory Server management tools, see the
OpenDS 1.2 Wiki.
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.

23
Updating Windchill Directory Server to
the Latest Maintenance Release
The Windchill Directory Server software is managed separately from Windchill. This
section describes how to update an existing installation to the latest Windchill Directory
Server.
Note
If you are currently using the Aphelion Directory Server, you must migrate your LDAP
information to the Windchill Directory Server. Instead of using the steps described in this
section, see Migrating from Aphelion to Windchill Directory Server on page 11.
When your Windchill solution was installed, Windchill was configured to access
Windchill Directory Server using configuration properties that defined the host, the port,
a directory administrator, and a password. Windchill does not require reconfiguration
if both of the following are true:
● You install the Windchill Directory Server using these same configuration properties.
● You import the data that was exported from your existing installation to the latest
Windchill Directory Server.
The tree structure of the Windchill Directory Server data must match the existing LDAP
directory data.
Updating the Windchill Directory Server requires completing the following main tasks:
1. Update your Windchill solution to the latest maintenance release.
Note
You do not update the Windchill Directory Server when you are updating your
Windchill solution.
For details, see the Windchill Installation and Configuration Guide - Updating
Existing Installation.
2. Verify that Windchill is working properly with your existing version of the Windchill
Directory Server.
3. Stop Windchill and then stop Windchill Directory Server.
4. If Windchill Directory Server is running as a Windows service, disable the service.
See Disabling or Enabling Windchill Directory Server as a Windows Service on
page 28.
5. Export your current LDAP data from the existing Windchill Directory Server as
described in Exporting Entries to an LDIF File on page 63. Save the LDIF file
outside of the directory structure where Windchill Directory Server is installed so it is
accessible when you are ready to import the data in a later step.
6. Examine the Windchill Directory Server configuration and record the existing settings
for the following:
● Administrative user name and password
● LDAP port number

24 Windchill® Directory Server Administrator's Guide


● JMX port number
● Administrative port number
● All Base DNs
For details on locating these settings, see Viewing Windchill Directory Server
Configuration Settings on page 26.
7. Ensure that Windchill Directory Server is not running and that all Windchill Directory
Server control panel windows are closed.
8. Preserve the existing the Windchill Directory Server installation as a backup by
renaming the installation directory.
For example if the existing installation directory is
C:\ptc\Windchill_9.1\WindchillDS, rename it to
C:\ptc\Windchill_9.1\[Link]. If you receive an error when
renaming the directory, verify again that the Windchill Directory Server is not running
and that there are no control panel windows open.
Preserving the existing installation allows you to easily return to your existing version
if there are issues that come up with the new version.
9. Install the latest version of the Windchill Directory Server in the same installation
directory that was used for the earlier version of the Windchill Directory Server. For
example if you used the default installation path on a Windows platform, the path is
C:\ptc\Windchill_9.1\WindchillDS.
Perform the installation as described in Installing the Windchill Directory Server on
page 29. Use the information recorded in the previous step to install the server.
Only one Base DN can be defined during the installation. If there are multiple Base
DNs that need to be defined, define the additional Base DNs after the installation
completes successfully and before importing LDAP data. See Creating Additional
Base DNs on page 32.
If you do not use the information recorded in the previous step, you must manually
reconfigure Windchill. The process of manually reconfiguring Windchill after an
update is similar to the process documented as part of the migration process. See
Manually Reconfiguring Windchill on page 17.
10. Import the LDAP data that was exported from your existing Windchill Directory
Server into the new Windchill Directory Server.
See Importing Entries on page 64.
11. Start the Windchill Directory Server and then start Windchill.
See Starting the Windchill Directory Server on page 27.
12. Verify the Windchill Directory Server installation.
See Verifying the Windchill Directory Server Installation on page 32.
13. Uninstall your preserved installation of Windchill Directory Server.
See Uninstalling the Windchill Directory Server on page 32.
Note
Be sure to navigate to the backed up directory and not the newly installed directory.

Managing a Windchill Directory Server 25


14. Update the Windchill installation registry to reflect only the newly installed
Windchill Directory Server using the PsiEdit tool that is installed at
<installation_directory>\installer\instreg\[Link]
a. Display the Windchill Directory Server registry paths that are in the Windchill
installation registry by navigating to the PsiEdit directory and entering the
following command from a command prompt:
java -jar [Link] --all_installs_report

The output will have two entries for the Windchill Directory Server. The dates on
the entry lines identify when the installation occurred. The registry path will be
similar to the following:
<WindchllDS>\installer\instreg\ii22449495.1243aac6549.-8000

where <WindchllDS> is the Windchill Directory Server installation directory.


b. To remove the old entry, locate the full registry path from the output for the
older version of the directory server and include that path in the following Java
command:
java -jar [Link] --remove_windchillds
--registryfile=<registry_path>

Viewing Windchill Directory Server Configuration


Settings
You can use the Windchill Directory Server control panel to view most of the configuration
settings that are required when you install a new version of the server to replace the
existing version. The configuration settings are:
● LDAP port number
● JMX port number
● Administrative port number
● All Base DNs
Additionally, you must know the administrative user name and password. This is the user
name and password you are running under when you access the control panel.
Complete following steps view the port numbers and Base DNs:Windchill Directory
Server using the control panel:
1. Start the control panel.
For more information, see Starting the Control Panel on page 27.
The port numbers are listed in the main window.
2. To view the Base DNs, complete the following steps from the main control panel
window:
a. Click Directory Data ▶ Manage Entries.
b. Select the Base DN drop-down list.
Base DNs are listed under userRoot.

26 Windchill® Directory Server Administrator's Guide


Starting the Control Panel
The control panel allows you to start and stop the directory server, manage the LDAP
entries, backup your LDAP data, and perform other administrative tasks.
1. Start the control panel application using one of the following options:
Windows
a. Navigate to <WindchillDS>\server\bat.
b. Double-click the control panel command, or, from the Start menu, click Windchill
LDAP Administration.
UNIX
Run the control-panel command from the command line in the terminal window,
as follows:
a. Change the directory to <WindchillDS>/server/bin/.
b. Execute the following: control-panel.
2. The Authentication Required window displays the fields for the bind DN and the
password of an administrative user. The default value for the bind DN is for the root
DN user: cn=Manager. When prompted for authentication, specify the password
you used when you installed the Windchill Directory Server, then click OK.
The Windchill Directory Server Control Panel opens.
When you have completed your work, click File ▶ Exit to close the window.

Starting the Windchill Directory Server


On Windows platforms, the Windchill Directory Server is not installed as a Windows
service; you will need to start the Windchill Directory Server every time you reboot the
machine. For information about enabling the Windchill Directory Server as a Windows
service, see Disabling or Enabling Windchill Directory Server as a Windows Service on
page 28.
On UNIX platforms, you will need to start the Windchill Directory Server every
time you reboot the machine. You can generate a shell script to start, stop, and
restart the directory server by using the command create-rc-script in the
<Windchill>/server/bin directory. For example, enter the following command to
generate a startup script:
create-rc-script –f <start_WindchillDS_script>.

where <start_WindchillDS_script> is the name of the script being generated.


To see a list of available options for use in generating the script, you can enter
create-rc-script --help.
This startup script can be used to automatically start the Windchill Directory Server at
boot time. The method to invoke this script at boot time varies by platform; if you do not
have the expertise to set up this capability, contact your system administrator.

Managing a Windchill Directory Server 27


The following steps explain how to start the Windchill Directory Server using the control
panel.
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Click Start.

Stopping the Windchill Directory Server


If you are backing up your database or performing other maintenance activities, stop the
Windchill Directory Server before performing the activities. By stopping the server, you
keep the server from interfering with the backup or other activities.
The following steps explain how to stop the Windchill Directory Server using the control
panel:
1. Start the control panel.
For more information, see Starting the Control Panel on page 27.
2. Click Stop.

Disabling or Enabling Windchill Directory


Server as a Windows Service
The following steps explain how to use the control panel to disable or enable the Windchill
Directory Server as a Windows service.
Note
The installation of the Windchill Directory Server does not enable the server as a Windows
service.
If you specified a mapped or SUBST drive in the file path for the Windchill Directory
Server installation directory, do not run the server as a Windows service. Enabling the
Windchill Directory Server as a Windows service when the installation file path is either a
mapped or SUBST drive causes errors when attempting to start and monitor the server
with the control panel.
Additionally, if you want to install multiple instances of the Windchill Directory Server on
one Windows system, you cannot have multiple servers running as a Windows service.
1. Open the control panel. For more information, see Starting the Control Panel on
page 27.
2. Click Stop to stop the Windchill Directory Server.
3. Click the Runtime Options tab.
4. Click the Windows Service tab. The window that opens indicates if the Windows
service is enabled.
● To enable the Windchill Directory Server as a Windows service, click Enable.
● To disable the Windchill Directory Server as a Windows service, click Disable.

28 Windchill® Directory Server Administrator's Guide


5. Click Close to close the Windows Service window.
6. From the main control panel window, optionally restart the Windchill Directory Server
by clicking Start.

Controlling Access to the Windchill


Directory Server Commands
The Windchill Directory Server is configured and controlled by command line tools.
Access to these command line tools is controlled by normal file system permissions.
On Windows, these commands are not shared and are available only to a user with
administrator privileges. The command line tools are in the following directories:
<WindchillDS>/server

and
<WindchillDS>/server/bat

Note
On Windows XP, any user that can log in and access the installation, can run the
commands.
On UNIX, the command line tools are in the following directories:
<WindchillDS>/server

and
<WindchillDS>/server/bin

Note
The Windchill Directory Server allows only the owner of the files in the Windchill
Directory Server home directory to administer the directory. If other users execute the
commands, the command fails with the following error message:
Current user is not owner of the instance. Only [<owner of the
command file>] can run this command.

Note
Communication from the command line tools and the directory server uses SSL over
the directory server administration port.

Installing the Windchill Directory Server


Use the following procedure to install the Windchill Directory Server when you are
migrating from the Aphelion Directory Server to Windchill Directory Server or when you
are updating an existing Windchill Directory Server to the latest version.

Managing a Windchill Directory Server 29


If you are installing the Windchill Directory Server as part of a new Windchill installation,
you can select to install and configure Windchill Directory Server as one of the platform
components. For installation details, see the Windchill Installation and Configuration
Guide - Advanced.
Note
Before installing the Windchill Directory Server, ensure that there is no existing instance
of the server installed in the installation file path you are going to use for the Windchill
Directory Server. You cannot install over an existing instance; uninstall the existing
instance or rename the installation directory before installing the Windchill Directory
Server. Before uninstalling an existing instance or renaming the installation directory, be
sure to stop the server, disable it as a Windows service (on Windows platforms), and close
any Windchill Directory Server control panel windows. For details on how to uninstall a
Windchill Directory Server, see Uninstalling the Windchill Directory Server on page 32.
If you are installing the Windchill Directory Server as part of migrating from Aphelion to
Windchill Directory Server, follow the steps laid out in the Migrating from Aphelion to
Windchill Directory Server on page 11; do not go directly to the steps in this procedure.
Following the steps in the migration process ensures that the installation of Windchill
Directory Server is completed at the correct point in the process.
Similarly, if you are installing the Windchill Directory Server as part of updating to the
latest maintenance release, follow the steps laid out in Updating Windchill Directory
Server to the Latest Maintenance Release on page 24; do not go directly to the steps in
this procedure.
Install the Windchill Directory Server using the PTC Solution Installer (PSI).

Note
On UNIX systems, only the user who installed the Windchill Directory Server is permitted
to use the control-panel or other Windchill Directory Server administrative functions.
Therefore, carefully consider which identity to use when performing the Windchill
Directory Server installation.
1. Select the Advanced installation type option. Then select Install a Standalone
Product or Component.
2. Choose Windchill Directory Server.
3. As you enter the information to define the settings required for installing Windchill
Directory Server, be aware of the following:
● Do not specify a Uniform Naming Convention (UNC) path name (such as
\\host\path\to\JDK) for either the Java SDK or the Windchill Directory
Server installation directory file paths. Additionally, if you specify a mapped or
SUBST drive in the file path for the Windchill Directory Server, you cannot run
the server as a Windows service.
● When replacing Aphelion with the Windchill Directory Server, the port number,
administrative distinguished name, administrative password, and the LDAP Base
DN that you specify are those identified earlier in the migration procedure.
When updating to the latest version of the Windchill Directory Server, the port
number, administrative distinguished name, administrative password, and the
LDAP Base DN that you specify are those identified in the update procedure.

30 Windchill® Directory Server Administrator's Guide


For example:

In the LDAP Base DN field, be sure to replace “o=ptc” with the Base DN that was
used with Aphelion or with an earlier version of the Windchill Directory Server.
4. Complete the remaining installation steps as directed by PSI.
For additional details on using PSI to install the Windchill Directory Server, see the
Windchill Installation and Configuration Guide - Advanced.
Note
On Windows 2008 servers, you cannot start or stop the Windchill Directory Server when
the User Account Control (UAC) feature is enabled. Although you can open the Control
Panel, you also cannot authenticate and therefore, cannot view or modify directory
entries. Complete the following steps to disable UAC:
1. From your Windows 2008 Control Panel, click User Accounts.
2. In the User Accounts window, click User Accounts (skip this step is you are using
the classic Control Panel view).
3. Click Turn User Account Control on or off.
4. Clear the Use User Account Control (UAC) to help protect your computer check
box and click OK.
5. If the User Account Control window displays, click Continue.
6. Click Restart Now or Restart Later and close the User Accounts window.
You must restart your system to disable UAC.

Managing a Windchill Directory Server 31


Creating Additional Base DNs
Additional Base DNs can be defined with the Windchill Directory Server control panel.
To define additional Base DNs, follow these steps:
1. Open the Windchill Directory Server control panel.
For more information, see Starting the Control Panel on page 27.
2. Select Directory Data ▶ New Base DN.
3. Ensure that the Backend drop-down menu is set to userRoot.
4. Enter the Base DN. For example, dc=com.
5. Ensure that Only Create Base Entry is selected.
6. Click OK.

Verifying the Windchill Directory Server


Installation
After you have imported the LDIF file into the Windchill Directory Server, you must
verify that your Windchill Directory Server installation was successful. To do so, follow
these steps:
1. Verify that the Windchill Directory Server control panel is running. If the control panel
is not running, start it. For more information, see Starting the Control Panel on page 27.

Note
You can use the control panel Manage Entries option to verify that the Windchill
Directory Server is running and that it contains the same entries as Aphelion (if you
are migrating from Aphelion) or an earlier version of the Windchill Directory Server
(if you are updating the Windchill Directory Server). However, this does not verify
correct operation with Windchill.
2. Start your Windchill solution and verify correct operation. If Windchill starts and users
can log in, then the Windchill Directory Server installed correctly.

Uninstalling the Windchill Directory


Server
Note
If the Windchill Directory Server is installed on Windows and is running as a Windows
service, you must disable the Windows service before uninstalling Windchill Directory
Server. For details on disabling the Windows service, see Disabling or Enabling Windchill
Directory Server as a Windows Service on page 28.

32 Windchill® Directory Server Administrator's Guide


Complete the following steps to uninstall the Windchill Directory Server:
1. If the Windchill Directory Server contains entries you want to save, export the data as
described in Exporting Entries to an LDIF File on page 63.
2. If the Windchill Directory Server is running, stop it.
For details on stopping the Windchill Directory Server, see Stopping the Windchill
Directory Server on page 28.
3. If you have any Windchill Directory Server control panel windows open, close them.
If control panel windows are open when you are uninstalling the Windchill Directory
Server, some files are in use and cannot be deleted.
4. Start the uninstall process using the following steps:
Windows
a. Navigate to <WindchillDS>\server.
b. Double-click the [Link] file.
UNIX
a. Navigate to <WindchillDS>/server.
b. Execute the uninstall command.
A new Uninstall window opens:

5. Select the appropriate options.


6. Click Uninstall to remove the directory server instance.
Note
Uninstalling will remove most of the files associated with the Windchill Directory
Server. If there are remaining files, you will need to manually delete them.
7. After the process completes, manually remove any remaining files.

Managing a Windchill Directory Server 33


Configuring a Windchill
3
Directory Server

Using the dsconfig Command ............................................................................. 36


Setting Windchill Directory Server Password Polices.......................................... 36
Managing the Windchill Directory Server Logging............................................... 50

This chapter explains how to use command to configure the Windchill Directory Server.

35
Using the dsconfig Command
The dsconfig command allows you to manage, create, and remove the base
configuration for a directory service instance. The utility provides functions that help you
manage your configurations in the following areas:
● Core server.
● Database.
● Logging. See Managing the Windchill Directory Server Logging on page 50.
● Replication.
● Security.
● User management, such as locking user accounts and setting user passwords. See
Managing User Accounts on page 55.
● Setting password policies. See Setting Windchill Directory Server Password Polices
on page 36.
From the <WindchillDS>/server/bat command line, enter dsconfig
commands.
The dsconfig can be run in interactive mode or by command line. To determine the
exact command line to use, consider running dsconfig in interactive mode and adding
the ––displayCommand option to display the equivalent command line that can be
used. The commands shown in this guide are command line examples that include the
––no-prompt option and have been formatted to fit the page; enter each command on
one line or, on UNIX systems, use \ as the continuation character at the end of each line.
For complete documentation on the usage of dsconfig, see the OpenDS 1.2 wiki.

Note
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.

Setting Windchill Directory Server


Password Polices
Your site password policy is defined in and enforced by your LDAP directory service.
Windchill does not place any restrictions on passwords.
By default, the Windchill Directory Server defines no password policy; however, the
directory server supports password policies. For example, you can set the following:
● A list of excluded passwords that are defined in a dictionary that is maintained in
<WindchillDS>/server/config/[Link].

36 Windchill® Directory Server Administrator's Guide


● Password expiration.
● Password history rules.
● Password syntax, including any of the following:
○ Whether characters can be repeated
○ How many unique characters there must be
○ How long the password must be
○ Whether the password must contain capital letters, integers, or special characters
○ Whether the password can be the same as another user attribute, such as the user's
name
Use the dsconfig comand utility in either command-line or interactive mode to set
password policies. This utility allows you to set multiple password policies and then
associate specific policies with groups of users. To set up a password policy, you must
decide on the policy properties and validators that you want enabled. The following
sections provide descriptions of the password policy properties and other password
policy details.

Password Policy Properties


The following is the list of configurable properties provided by the Windchill Directory
Server. This list includes all properties that are available in the interface as a result of
the Windchill Directory Server being built on OpenDS, even though some properties
are not supported because of the Windchill environment. Included is a description of
each property, its default value, and information about how setting the property impacts
your Windchill environment. When a property is not supported, that fact is listed in the
Windchill environment impact information.
Note
In a Windchill environment, the web server is responsible for validating that a user can log
on. Several password policy properties described in the following list cause the Windchill
Directory Server to use extended LDAP controls that then return extra information to the
web server. The web servers that are supported in your Windchill environment do not
include support for these extended controls; therefore, unless you customize your web
server, the web server ignores the extra information that is sent. When this happens, a
user can get into a state of not being able to log on. Therefore, the properties that cause
extra information to be sent are listed as not supported.
The values set by many of the following properties are stored in attributes that are
viewable from your Control Panel - Manage Entries window. To view attributes,
navigate to the password policy entry from the tree in the left pane. For example, first
select the All Base DNs option from the Base DN field. Then open the following entries
to locate the default password policy:
cn=cofig
Password Policies

Under Password Policies, select Default Password Policy and


the attributes display in the right pane. The names of many of the attributes are
the corresponding property names prefixed by the ds-cfg- characters. For

Configuring a Windchill Directory Server 37


example, the attribute where the max-password-age value is stored is named
ds-cfg-max-password-age. Although many of these attributes can be set from the
Control Panel, PTC recommends using the dsconfig command to set values.
When specifying time in any of the following property settings, use the following format:
value time-unit
where value is an integer value and time-unit is one of the following:
● milliseconds
● seconds
● minutes
● hours
● days
● weeks
The short forms for time-unit are: ms, s, m, h, d and w.
account-status-notification-handler
The account status notification handler is used to send messages when events occur
during the course of password policy processing. This property specifies the DNs of
the account status notification handlers that should be used for this password policy.
Default: There is no account status notification handler set up in the Windchill
Directory Server and this property is not set.
Windchill Environment Impact: After setting up an account status notification handler
and setting this property, users receive email notifications relating to the password
policy for which this property is set. For example, after you have set up user email
notifications, users receive email notifications when their accounts are locked. The
notification includes the reason for locking the account.
For the list of steps that are required to set up user email notifications, see Setting Up
Email Notifications for Password Policy Events on page 45.
allow-expired-password-changes
Indicates whether users are allowed to change their passwords after the passwords
have expired.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
allow-user-password-changes
Indicates whether users are allowed to change their own passwords if they have access
control rights to do so.
Default: True.
Windchill Environment Impact: To use this feature, you must enable the Password
Change user interface. For the details on how to enable this interface and for the set of
tasks to complete to configure password management in Windchill, see the Windchill
System Administrator's Guide.
default-password-storage-scheme

38 Windchill® Directory Server Administrator's Guide


Specifies the DNs for the password storage schemes that are used to encode clear-text
passwords for this password policy.
Default: Salted SHA-1
Windchill Environment Impact: No impact; the schemes used to encode clear text
are only used internally by the Windchill Directory Server and have no effect on its
interaction with your Windchill solution.
deprecated-password-storage-scheme
Specifies the DNs for password storage schemes that are considered deprecated for
this password policy. If a user with this password policy authenticates to the server
and his password is encoded with any deprecated schemes, those values are removed
and replaced with values encoded using the default password storage scheme.
Default: Property is not set.
Windchill Environment Impact: No impact; the schemes used to encode clear text
are only used internally by the Windchill Directory Server and have no effect on its
interaction with your Windchill solution.
expire-password-without-warning
Indicates whether user passwords are allowed to expire even if the user has not yet
seen a password expiration warning. If this property is set to false, the user is always
guaranteed to see at least one warning message even if the password expiration time
has passed. The expiration time is then reset to the current time plus the warning
interval (ds-cfg-password-expiration-warning-interval).
Default: True
Windchill Environment Impact: Not supported; a default value of true must be used
unless you have made modifications to your web server to support this feature.
force-change-on-add
Indicates whether users are required to change their passwords the first time they use
their accounts and before they are allowed to perform any other operation.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
force-change-on-reset
Indicates whether users are required to change their passwords after an administrative
password reset and before they are allowed to perform any other operation.
Default: Property is not set.
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
grace-login-count
Specifies the maximum number of grace logins that users should be given. Grace
logins makes it possible for users to authenticate to the server after their passwords
have expired, but the users are not allowed to do anything else until they have
changed their passwords.
Default: Property is not set.

Configuring a Windchill Directory Server 39


Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
idle-lockout-interval
Specifies the maximum length of time that a user account can remain idle (that is, that
the user can go without authenticating to the directory) before the server locks the
account.
Default: 0
Windchill Environment Impact: No impact unless this property is set to a nonzero
value and last login time tracking is set up (see Setting Up Time Tracking for Last
Logins on page 46). Then, users are required to log in to the Windchill solution within
the specified time or users will be locked out.
last-login-time-attribute
Specifies the name of the attribute in the user's entry that is used to hold the last login
time for the user.
Default: Property is not set.
Windchill Environment Impact: When set, the property provides the user attribute to
query for determining the time the a user last logged into Windchill. The Windchill
Directory Server has defined the ds-pwp-last-login operational attribute for this
purpose.
If you want to track the last time users login, set this property to ds-pwp-last-login and
complete the additional tasks needed to set up last login time tracking. See Setting Up
Time Tracking for Last Logins on page 46.
last-login-time-format
Specifies the format string that should be used to generate the last login time values.
The value can be any valid format string that can be used in conjunction with the
[Link] class.
Note
For performance reasons, consider specifying a format that only stores the date of the
last login and not the time (for example, format: yyyyMMdd). When only the date
format is specified, the last login only needs to be updated once per day, rather than
each time the user authenticates on a given day.
Default: Property is not set.
Windchill Environment Impact: When set, the property provides the format for the
last login time.
If you want to track the last time users login, set this property to valid format string
and complete the additional tasks needed to set up last login time tracking. See Setting
Up Time Tracking for Last Logins on page 46.
lockout-duration
Specifies the length of time that a user account should remain locked due to failed
authentication attempts before it is automatically unlocked. A value of 0 seconds
indicates that any locked accounts are not automatically unlocked and must be reset
by an administrator.
Default: 0 seconds

40 Windchill® Directory Server Administrator's Guide


Windchill Environment Impact: By default, an administrator must unlock a locked
account.
lockout-failure-count
Specifies the number of authentication failures required to lock a user account, either
temporarily or permanently. A value of 0 indicates that automatic lockout is not
enabled.
Default: 0
Windchill Environment Impact: If you set a nonzero value, users cannot log into
Windchill after the specified number of unsuccessful attempts.
lockout-failure-expiration-interval
Specifies the maximum length of time that a previously failed authentication attempt
should be counted toward a lockout failure.
Note
The record of all previous failed attempts is always cleared upon a successful
authentication.
A value of 0 seconds indicates that failed attempts are never automatically expired.
Default: 0 seconds
Windchill Environment Impact: If you set a nonzero value, failed login attempts
expire after the specified time interval. Expiring a failed login attempt allows users to
attempt to log in again if their number of attempts is now below the number specified
in the lockout-failure-count property.
max-password-age
Specifies the maximum length of time that a user is allowed to keep the same
password before choosing a new one. This time is often known as the password
expiration interval.
A value of 0 seconds indicates that passwords never expire.
If the ds-cfg-expire-passwords-without-warning attribute is set to false, the effective
password expiration time is recalculated to be the time at which the first warning is
received, plus the warning interval (ds-cfg-password-expiration-warning-interval).
This behavior ensures that users always have the fully configured warning interval to
change their passwords.
Default: 0 seconds
Windchill Environment Impact: If you set a nonzero value, the value is the maximum
amount of time allowed before users must change their passwords. If a password
is not changed within the specified time, the account is locked (preventing access
to Windchill).
max-password-reset-age
Specifies the maximum length of time that users are allowed to change their passwords
after they have been administratively reset and before they are locked out.
This property is only applicable if the ds-cfg-force-change-on-reset attribute is set to
true.

Configuring a Windchill Directory Server 41


A value of 0 seconds indicates that there are no limits on the length of time that users
have to change their passwords after administrative resets.
Default: 0 seconds
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
min-password-age
Specifies the minimum length of time that users are required to have a password value
before it can be changed again.
Default: 0 seconds
Windchill Environment Impact: Providing a nonzero value ensures that users are not
allowed to repeatedly change their passwords in order to flush their previous password
from the history so it can be reused.
password-attribute
Specifies the attribute in the user's entry that holds the encoded passwords for the user.
Default: userPassword
Windchill Environment Impact: To function correctly, the Windchill code that
processes user passwords requires that ds-cfg-password-attribute be set
to userPassword. Do not change the value of this property without customizing
the Windchill code.
password-change-requires-current-password
Indicates whether users are required to provide their current password when setting a
new password. If this is set to true, then users are required to provide their current
password when changing their existing password.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web
server and to the Windchill password modification code, this feature cannot be enabled.
password-expiration-warning-interval
Specifies the length of time before a password expires that users should start to receive
notifications that their password is about to expire.
Note
You must set a nonzero value for this property if the ds-cfg-expire-passwords-without-
warning attribute is set to false.
Default: There is no account status notification handler set up in the Windchill
Directory Server and this property is not set.
Windchill Environment Impact: After setting up an account status notification handler
and setting this property, users receive email notifications relating to the password
policy for which this property is set.
For the list of steps that are required to set up user email notifications, see Setting Up
Email Notifications for Password Policy Events on page 45
password-generator

42 Windchill® Directory Server Administrator's Guide


Specifies the DN for the password generator that should be used in conjunction with
this password policy. The password generator is used in the following cases:
● When the administrator resets a user password and does not specify a new
password.
● To provide a new password for cases in which the client did not include one in the
request. This is used in conjunction with a password modify extended operation;
however, the password modify extended operation is not supported.
Default: cn=Random Password Generator,cn=Password Generators,cn=config
Windchill Environment Impact: The generator is used when the administrator
resets a user’s password. The administrator sees the password generated and must
communicate this to the user; the generated password is not sent with the password
reset email notification.
password-history-count
Specifies the maximum number of password values that should be maintained in the
password history. Whenever a user’s password is changed, the server checks the
proposed new password against the current password and all passwords stored in the
history. If a match is found, then the user is not allowed to use that new password. A
value of 0 indicates either of the following:
● The server should not maintain a password history (that is the case when the
password history duration has a value of 0 seconds).
● The password history list should be based entirely on duration and no maximum
count should be enforced (that is the case when the password history duration has
a value other than 0 seconds).
Note
If an administrator reduces the configured password history count to a smaller (but
still nonzero) value, each user entry containing password history state information
is not impacted until a password change is processed for that user. At that time, any
excess history state values are purged from the entry.
If the history count is reduced to 0 and the password history duration is also set to
0 seconds, any state information in the user’s entry is retained in case the feature
is re-enabled.
Default: 0
Windchill Environment Impact: If you set a nonzero value, the value determines how
many unique passwords a user must specify before a previously-used password can
be specified.
password-history-duration
Specifies the maximum length of time that a formerly-used password should remain
in effect in the user's password history.
Whenever a user's password is changed, the server checks the proposed new password
against the current password and all passwords stored in the history. If a match is
found, the user is not allowed to use that new password.

Configuring a Windchill Directory Server 43


A value of 0 seconds indicates one of the following:
● The server should not maintain a password history. This is the case when the
ds-cfg-password-history-count attribute has a value of 0.
● The password history list should be based entirely on count and no
maximum duration should be enforced. This is the case when the
ds-cfg-password-history-count attribute has a value other than 0.
Default: 0 seconds
Windchill Environment Impact: You can provide a nonzero value to ensure that users
are not allowed to repeatedly change their passwords in order to flush their previous
password from the history so it can be reused.
password-validator
Specifies the DNs for password validators that should be used in conjunction with
this password policy. The password validators are invoked whenever a user attempts
to provide a new password in order to determine whether that new password is
acceptable.
Default: Property is not set.
Windchill Environment Impact: You can limit the values that users enter for the
passwords by setting this property.
To display existing password validators, see Displaying Your Password Policy
Configuration on page 47.
For an example that sets password validators, see Setting Password Expiration Time
and Adding Validators on page 49.
previous-last-login-time-format
Specifies the format string that was used in the past for older last login time values.
This value is not necessary unless the last login time feature is enabled and the format
in which the values are stored has been changed.
Default: This property is not set.
Windchill Environment Impact: No impact.
require-change-by-time
Specifies a time by which all users with this password policy are required to change
their passwords. Specify the time using the following format:
yyyyMMddhhmmssZ

For example, 20100101120000Z represents 12 PM on January 01, 2010 in the


Zulu time zone.
This option works independently of password expiration; it forces all users to change
their passwords before a given time. This password change is required even when
password expiration is disabled.
Default: This property is not set.
Windchill Environment Impact: When this property is set, all Windchill users covered
by this password policy must change their password by the specified time.
require-secure-authentication

44 Windchill® Directory Server Administrator's Guide


Indicates whether users with this password policy are required to authenticate in a
secure manner using a secure communication mechanism like SSL, or a secure SASL
mechanism like DIGEST-MD5, EXTERNAL, or GSSAPI that does not expose the
password in the clear.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.
require-secure-password-changes
Indicates whether users with this password policy are required to make password
changes in a secure manner, such as over a secure communication channel like SSL.
Default: false
Windchill Environment Impact: Not supported; without modifications to your web
server, this feature cannot be used.

Setting Up Email Notifications for Password Policy


Events
To set up email notifications that are sent to users for password policy events, you must
complete a set of tasks. The example dsconfg commands provided in the tasks assume
the following:
● The commands are entered on the host where Windchill Directory Server resides
(localhost is used).
● The Windchill Directory Server administrative port is 4444.
● The Windchill Directory Server bind DN is “cn=Manager” and the bind password
is “admin”.
The tasks to complete are as follows:
● Configure the SMTP Account Status notification handler.
To configure the notification handler, you must configure Windchill Directory Server
to use the SMTP mail handler and enable an SMTP handler for notifications. For
example, use commands similar to the following:
dsconfig -D "cn=manager" -w admin -n
set-global-configuration-prop
--set smtp-server:<host name> --trustAll

dsconfig set-account-status-notification-handler-prop
--handler-name "SMTP Handler"
--set "enabled:true" --hostname "localhost" --port "4444"
--trustAll --bindDN "cn=manager" --bindPassword admin --no-prompt

Replace <host name> with the name of the host where your mail server resides.

Configuring a Windchill Directory Server 45


● Configure the password policy you are setting up to add the SMTP account status
notification handler. For example, use a command similar to the following to set the
handler for the default password policy:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--add "account-status-notification-handler:SMTP Handler"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

● Configure the sender-address in the SMTP Account Status Notification Handler


property. For example, use a command similar to the following:
dsconfig set-account-status-notification-handler-prop
--handler-name "SMTP Handler"
--set "sender-address:<user_address>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

Replace <user_address> with the address of the recipient that appears in the From
address of the email.
After you complete the tasks, users automatically receive email notifications when
password policy events occur.
The following are examples of password notifications:
● Your directory password will expire in 3 minutes, 0 seconds.
● Please change your password before Thu Aug 06 12:56:20 CDT 2009 so that it does
not expire.
For further assistance, please contact a directory administrator.
● Your directory password has expired.
Please contact a server administrator to have your password reset.
● Your directory account has been locked because it has remained idle for too long.
For further assistance, please contact a server administrator.
The content of these messages can be customized. Message templates are stored
in the <WindchillDS>/server/config/messages directory, where
<WindchillDS> is the Windchill Directory Server installation directory. Change the
appropriate template file to change the contents of the notifications sent to the user.

Setting Up Time Tracking for Last Logins


By default, a user’s last login time is not tracked.
To set up the tracking of a user’s last login time, you must complete the following tasks:
● Set the following attributes for the password policy:
ds-cfg-last-login-time-attribute
ds-cfg-last-login-time-format
You can set these attributes by setting the last-login-time-attribute and
last-login-time-format properties.

46 Windchill® Directory Server Administrator's Guide


● Set the idle-lockout-interval property to a nonzero value.

Displaying Your Password Policy Configuration


When setting up your password policies, you should be aware of what is currently set
before making changes. The following examples show how to display the current
configuration information for the following:
The default password policy
The existing password validators
The SMTP handler for notifications
The example dsconfg commands provided in the examples assume the following:
● The commands are entered on the host where Windchill Directory Server resides
(localhost is used).
● The Windchill Directory Server administrative port is 4444.
● The Windchill Directory Server bind DN is “cn=Manager” and the bind password
is “admin”.
To view what is set for the default password policy, enter a command similar to the
following:
dsconfig get-password-policy-prop --policy-name "Default Password Policy"
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

To view the existing password validators, enter a command similar to the following:
dsconfig list-password-validators
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

The output from the list-password-validators subcommand is similar to the


following:
Password Validator : Type : enabled
------------------------------------:---------------------:--------
Attribute Value : attribute-value : true
Character Set : character-set : true
Dictionary : dictionary : false
Length-Based Password Validator : length-based : true
Repeated Characters : repeated-characters : true
Similarity-Based Password Validator : similarity-based : true
Unique Characters : unique-characters : true

You can use the information in the validator list to display the properties that are set
for each validator. For example, use a command similar to the following to display the
properties for the dictionary validator:
dsconfig get-password-validator-prop --validator-name Dictionary
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

To display the configuration of the SMTP handler for notifications, enter a command
similar to the following:
dsconfig list-properties -c account-status-notification-handler

Configuring a Windchill Directory Server 47


Configuring Password Policies
You can configure multiple password policies in Windchill Directory Server. Each policy
can be associated with a group of users. Out of the box, Windchill Directory Server
provides the default password policy that can be used for all users.
By default, the Windchill Directory Server is set up to allow users to modify their own
password; however, the Windchill interface for modifying passwords is not enabled by
default. For the details on how to enable this interface and on the set of tasks to complete
to configure password management in Windchill, see the Windchill System Administrator's
Guide.
The following sections provide example commands that you can study to determine how
to configure your password policies. The example dsconfg commands assume the
following:
● The commands are entered on the host where Windchill Directory Server resides
(localhost is used).
● The Windchill Directory Server administrative port is 4444.
● The Windchill Directory Server bind DN is “cn=Manager” and the bind password
is “admin”.
For more information how to configure password policies, see the documentation from
the OpenDS 1.2 wiki at:
[Link]

Note
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.

Configuring Password Policy Lockout Failure Count


To set the password lockout count to 3, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "lockout-failure-count:3"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

Configuring Password Lockout Duration


To set the password lockout duration to 120 seconds, use a command similar to the
following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "lockout-duration:120 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

48 Windchill® Directory Server Administrator's Guide


Configuring Minimum Password Age
To set the minimum password age to 180 seconds, use a command similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "min-password-age:180 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

Configuring Password Expiration Policy


To set the password expiration policy expire without warning, with a maximum password
age of 360 seconds, and an expiration warning interval of 180 seconds, use a command
similar to the following:
dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--set "expire-passwords-without-warning:true"
--set "max-password-age:360 s"
--set "password-expiration-warning-interval:180 s"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin --no-prompt

Setting Password Expiration Time and Adding Validators


Some policies require that you set validators as well as properties. For example, assume
that you want to set up the default password policy as follows:
● User passwords expire every 120 days
Use the max-password-age property to set this.
● The password must be at least six characters long and with at least three unique
characters
Use the Length-Based Password Validator property to set the minimum length and the
Unique Characters property to set the number of unique characters.
To set the password expiration time and add the length-based password validator and the
unique character validator to the default password policy, enter the following commands:
dsconfig set-password-validator-prop
--validator-name "Length-Based Password Validator"
--set enabled:true --set min-password-length:6
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

dsconfig set-password-validator-prop
--validator-name "Unique Characters"
--set enabled:true --set min-unique-characters:3
--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

dsconfig set-password-policy-prop
--policy-name "Default Password Policy"
--add "password-validator:Length-Based Password Validator"
--add "password-validator:Unique Characters"
--set "max-password-age:120 d"

Configuring a Windchill Directory Server 49


--hostname localhost --port 4444 --bindDN "cn=Manager"
--bindPassword "admin" --no-prompt --trustAll

Managing the Windchill Directory Server


Logging
The Windchill Directory Server provides the following logs:
● access
● audit
● debug
● error
Each log, located in <WindchillDS>/server/logs, consists of a log publisher and
a set of policies to determine the configuration of the log publisher. For example, the
access log has a set of policies that determine the size of the logs and how long logs are
retained. Each log has its own set of policies.
Server logging is configured with the command line utility dsconfig. You can use
dsconfig is an interactive command line utility that prompts the user for input, or, if
you provide the complete set of arguments, it can be run in non-interactive mode. Also, if
you use dsconfig, you can modify the policies of each logger.

Listing the Current Log Publishers


The following example uses the interactive command-line mode of dsconfig to list the
current log publishers. By default the access log, error log, and replication repair logger
are enabled.
D:\<WindchillDS>\server\bat>dsconfig
>>>> Specify Windchill Directory Server LDAP connection parameters
Directory server hostname or IP address [my-host-name]:
How do you want to trust the server certificate?

1) Automatically trust
2) Use a truststore
3) Manually validate

Enter choice [3]: 1


Directory server administration port number [4444]:
Administrator user bind DN [cn=Directory Manager]: cn=Manager
Password for user 'cn=Manager':
>>>> Windchill Directory Server configuration console main menu
What do you want to configure?
1) Access Control Handler 24) Monitor Provider
2) Account Status Notification 25) Network Group
Handler
3) Administration Connector 26) Network Group Criteria
4) Alert Handler 27) Network Group Request Filtering
Policy
5) Attribute Syntax 28) Network Group Resource Limits

50 Windchill® Directory Server Administrator's Guide


6) Backend 29) Password Generator
7) Certificate Mapper 30) Password Policy
8) Connection Handler 31) Password Storage Scheme
9) Crypto Manager 32) Password Validator
10) Debug Target 33) Plugin
11) Entry Cache 34) Plugin Root
12) Extended Operation Handler 35) Replication Domain
13) Extension 36) Replication Server
14) Global Configuration 37) Root DN
15) Group Implementation 38) Root DSE Backend
16) Identity Mapper 39) SASL Mechanism Handler
17) Key Manager Provider 40) Synchronization Provider
18) Local DB Index 41) Trust Manager Provider
19) Local DB VLV Index 42) Virtual Attribute
20) Log Publisher 43) Work Queue
21) Log Retention Policy 44) Workflow
22) Log Rotation Policy 45) Workflow Element
23) Matching Rule
q) quit
Enter choice: 20
>>>> Log Publisher management menu
What would you like to do?
1) List existing Log Publishers
2) Create a new Log Publisher
3) View and edit an existing Log Publisher
4) Delete an existing Log Publisher
b) back
q) quit
Enter choice [b]: 1
Log Publisher : Type : enabled
--------------------------:-------------------:--------
File-Based Access Logger : file-based-access : true
File-Based Audit Logger : file-based-access : false
File-Based Debug Logger : file-based-debug : false
File-Based Error Logger : file-based-error : true
Replication Repair Logger : file-based-error : true
Press RETURN to continue

Changing a Log Policy


The following is an example of changing the log retention policy. Changing the policy
changes the maximum log file size.
What do you want to configure?

1) Access Control Handler 24) Monitor Provider


2) Account Status Notification 25) Network Group
Handler
3) Administration Connector 26) Network Group Criteria
4) Alert Handler 27) Network Group Request Filtering
Policy
5) Attribute Syntax 28) Network Group Resource Limits
6) Backend 29) Password Generator
7) Certificate Mapper 30) Password Policy
8) Connection Handler 31) Password Storage Scheme
9) Crypto Manager 32) Password Validator
10) Debug Target 33) Plugin
11) Entry Cache 34) Plugin Root

Configuring a Windchill Directory Server 51


12) Extended Operation Handler 35) Replication Domain
13) Extension 36) Replication Server
14) Global Configuration 37) Root DN
15) Group Implementation 38) Root DSE Backend
16) Identity Mapper 39) SASL Mechanism Handler
17) Key Manager Provider 40) Synchronization Provider
18) Local DB Index 41) Trust Manager Provider
19) Local DB VLV Index 42) Virtual Attribute
20) Log Publisher 43) Work Queue
21) Log Retention Policy 44) Workflow
22) Log Rotation Policy 45) Workflow Element
23) Matching Rule

q) quit

Enter choice: 21
>>>> Log Retention Policy management menu
What would you like to do?
1) List existing Log Retention Policies
2) Create a new Log Retention Policy
3) View and edit an existing Log Retention Policy
4) Delete an existing Log Retention Policy
b) back
q) quit

Enter choice [b]: 1


Log Retention Policy : Type : disk-space-used : free-disk
-space : number-of-files
---------------------------------:-----------------:-----------------:----------
-------:----------------
File Count Retention Policy : file-count : - : -
: 10
Free Disk Space Retention Policy : free-disk-space : - : 500 mb
: -
Size Limit Retention Policy : size-limit : 500 mb : -
: -
Press RETURN to continue
>>>> Log Retention Policy management menu
What would you like to do?
1) List existing Log Retention Policies
2) Create a new Log Retention Policy
3) View and edit an existing Log Retention Policy
4) Delete an existing Log Retention Policy
b) back
q) quit
Enter choice [b]: 3
>>>> Select the Log Retention Policy from the following list:
1) File Count Retention Policy
2) Free Disk Space Retention Policy
3) Size Limit Retention Policy
c) cancel
q) quit
Enter choice [c]: 3
>>>> Configure the properties of the Size Limit Log Retention Policy
Property Value(s)
-------------------------
1) disk-space-used 500 mb

?) help
f) finish - apply any changes to the Size Limit Log Retention Policy

52 Windchill® Directory Server Administrator's Guide


c) cancel
q) quit

Enter choice [f]: 1


>>>> Configuring the "disk-space-used" property
Specifies the maximum total disk space used by the log files.
Syntax: 1 b <= SIZE
Do you want to modify the "disk-space-used" property?
1) Keep the value: 500 mb
2) Change the value
?) help
q) quit
Enter choice [1]: 2
Enter a value for the "disk-space-used" property: 200 mb
Press RETURN to continue
>>>> Configure the properties of the Size Limit Log Retention Policy
Property Value(s)
-------------------------
1) disk-space-used 200 mb
?) help
f) finish - apply any changes to the Size Limit Log Retention Policy
c) cancel
q) quit
Enter choice [f]: f
The Size Limit Log Retention Policy was modified successfully
Press RETURN to continue
>>>> Log Retention Policy management menu
What would you like to do?
1) List existing Log Retention Policies
2) Create a new Log Retention Policy
3) View and edit an existing Log Retention Policy
4) Delete an existing Log Retention Policy
b) back
q) quit

Enter choice [b]:

Configuring a Windchill Directory Server 53


Managing User Accounts
4
Displaying the Status of User Accounts .............................................................. 56
Locking and Unlocking User Accounts ................................................................ 56
Resetting User Passwords .................................................................................. 57

Use the manage–account command to display information about accounts and to


lock or unlock accounts.
Use the ldappasswordmodify command to reset a user password.
The following sections provide a starting point that you can use to determine how to
manage your user accounts. The example commands in the sections assume the following:
● The commands are entered on the host where Windchill Directory Server resides
(localhost is used).
● The Windchill Directory Server administrative port is 4444.
● The Windchill Directory Server bind DN is “cn=Manager” and the bind password
is “admin”.
The commands require the UID of a user. To get the user UID, you can view the user
entry from the Windchill Directory Server control panel.
For additional information about managing users, see the OpenDS wiki:
[Link]

55
Displaying the Status of User Accounts
To display the password policy state information for a specific user, use a command
similar to the following:
manage-account get-all --targetDN "uid=<user-UID>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin

Replace <user-UID> with the UID of the user.


Typical output from this command includes the following:
Password Policy DN: cn=Default Password Policy,cn=Password Policies,cn=config
Account Is Disabled: false
Account Expiration Time:
Seconds Until Account Expiration:
Password Changed Time: 20091008144013.142Z
Password Expiration Warned Time:
Seconds Until Password Expiration:
Seconds Until Password Expiration Warning:
Authentication Failure Times:
Seconds Until Authentication Failure Unlock:
Remaining Authentication Failure Count: 3
Last Login Time:Seconds Until Idle Account Lockout:
Password Is Reset: false
Seconds Until Password Reset Lockout:
Grace Login Use Times:
Remaining Grace Login Count: 0
Password Changed by Required Time:
Seconds Until Required Change Time:
Password History:

Depending on your password policy settings, your output may be different than the
typical output.

Locking and Unlocking User Accounts


You can manually lock user accounts and you can unlock accounts that have been locked
manually or by password policy events.
To lock the account of a specific user, use a command similar to the following:
manage-account set-account-is-disabled
--targetDN "uid=<user-UID>"
--operationValue "true" --hostname "localhost"
--port "4444" --trustAll --bindDN "cn=manager" --bindPassword admin

Replace <user-UID> with the UID of the user.


To unlock the account that has been locked, use a command similar to the following:
manage-account clear-account-is-disabled
--targetDN "uid=<user-UID>"
--hostname "localhost" --port "4444" --trustAll
--bindDN "cn=manager" --bindPassword admin

56 Windchill® Directory Server Administrator's Guide


Replace <user-UID> with the UID of the user.

Resetting User Passwords


You can reset user passwords to specific passwords or to randomly generated passwords.
To reset the password for a specific user to a specific password, use a command similar to
the following:
ldappasswordmodify --authzID dn:"uid=<user-UID>"
--newPassword <new password> --hostname "localhost"
--port "4444" --trustAll --bindDN "cn=manager" --bindPassword admin
--useSSL

Replace <user-UID> with the UID of the user.


When successful, the following output is returned:
The LDAP password modify operation was successful

If you have set up email notifications, users are notified when passwords are reset;
however, the message sent does not include the password.
To reset the password for a specific user to a randomly generated password, remove the
--newPassword option from the previous command as follows:
ldappasswordmodify --authzID dn:"uid=<user-UID>"
--hostname "localhost" --port "4444"
--trustAll --bindDN "cn=manager" --bindPassword admin --useSSL

Replace <user-UID> with the UID of the user.


The following output is returned when the password has been generated:
The LDAP password modify operation was successful
Generated Password: <new_password>

If you have set up email notifications, users are notified when passwords are reset;
however, you must still inform the user of the generated password.

Managing User Accounts 57


Managing Directory Data
5
Adding a New Entry............................................................................................. 61
Deleting an Entry ................................................................................................. 62
Backing up LDAP Directory Data ........................................................................ 62
Restoring Directory Data ..................................................................................... 63
Exporting Entries to an LDIF File......................................................................... 63
Importing Entries ................................................................................................. 64
Viewing Entries.................................................................................................... 64

The sections in this chapter describe how to use the Control Panel to manage entries within
the Windchill Directory Server. For additional information, see the OpenDS Managing
Directory Data With the Control Panel topic
The sections in this chapter describe how to use the Control Panel to manage entries
within the Windchill Directory Server. For more information, see the OpenDS Managing
Directory Data With the Control Panel topic.
Additionally, you can perform many of the tasks that are required to manage entries using
command-line utilities instead of using the Control Panel. For example, you can create a
script for backing up entries. For details on how to use command-line utilities to manage
entries, see the OpenDS Managing Data topic.

59
Note
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.

Tip
An easy way to determine the required syntax for a command is to execute the task from
the Control Panel and then review the details that are presented. The details contain
the command that was executed.

60 Windchill® Directory Server Administrator's Guide


Adding a New Entry
Note
The Windchill Directory Server control panel allows you to view, add, modify, and delete
entries. PTC does not recommend using the Windchill Directory Server control panel for
managing Windchill generated user, group, and organization entries. These entries should
be managed through normal Windchill interfaces. The use of the control panel to add,
modify and delete entries should be limited to manual repair or debug functions.
For details on managing Windchill users, group, and organization entries, see the
Windchill Business Administrator's Guide.
The following steps explain how to use the control panel to add a new entry.
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Verify that the Windchill Directory Server is running. If it is not, start it.
3. Select Directory Data ▶ Manage Entries.
The Manage Entries window opens and displays the base distinguished names.
4. From the drop-down list next to BaseDN, select the base distinguished name under
which you want to add a new entry.
5. In the left pane, choose the entry that will be the parent of the entry you are adding.
6. From the Entries menu, choose the kind of entry you want to create.
The following options are available:
● New User
● New Group
● New Organizational Unit
● New Organization
● New Domain
Note
Since PTC recommends that you create users, groups, and organizations from the
Windchill interface, use the related options only for debugging operations.
A window opens, displaying fields for the attributes that apply to the kind of entry
you selected.
7. Enter values for the entry into the fields of the window.
8. Click OK to create the new entry.
9. A related window opens and displays the success or failure of the operation. To
display additional information such as the command line used, click Details. You may
need to resize your window to see all the information.
10. Click Close.

Managing Directory Data 61


Deleting an Entry
The following steps explain how to use the control panel to delete an entry:
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Verify that the Windchill Directory Server is running. If it is not, start it.
3. Select Directory Data ▶ Manage Entries.
The Manage Entries window opens and displays the base distinguished names.
4. From the drop-down list next to BaseDN, select the base distinguished name under
which you want to delete an entry.
5. In the left pane, select the entry you want to delete. The attributes and values for the
selected object appear on the right side of the window.
6. Select Entries ▶ Delete Entry.
7. Click Yes to confirm that you want to delete the entry.
The Delete Entry window opens and displays the success or failure of the operation.
To display additional information such as the command line used, click Details. You
may need to resize your window to see all the information.
8. Click Close.

Backing up LDAP Directory Data


Data stored in the directory server is important to the successful operation of Windchill. All
data, including directory server data, is susceptible to loss from disk failure, accidental
deletion or modification, security failures, software failures, or other causes. PTC
recommends that directory data be backed up on a regular basis and after significant
events such as a new installation or upgrade.
If you are making many LDAP changes on a regular basis, a weekly backup is
recommended. If your LDAP data is relatively static, a monthly backup is adequate. For
more information on other areas of the Windchill solution that should be backed up, see
Ensuring Proper Backup and Recovery in the Windchill System Administrator's Guide.
The following steps explain how to backup your LDAP directory data using the control
panel.
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Select Directory Data ▶ Backup.
The Run Backup window opens.
This window allows you to specify the backup parameters. Use the default parameters
for a full backup.

62 Windchill® Directory Server Administrator's Guide


PTC recommends that each site define a formal backup procedure regarding how often
to create backups, the type of backup to create (full or incremental), and the location
where the backups will be stored.
3. Click OK.
4. The Run Backup window opens and displays the success or failure of the operation.
To display additional information such as the command line used, click Details. You
may need to resize your window to see all the information.
5. Click Close.

Restoring Directory Data


Use the following steps to restore your directory data that has been backed up:
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Select Directory Data ▶ Restore.
The Restore from Backup window opens and displays fields specifying how to
perform the backup.
3. Specify the backups that you want to restore. You can choose a backup from the list of
available backups or browse to locate a backup.

Note
Verify Backup ensures the integrity of the specified backup but is not a necessary
procedure. If you choose to verify your backup, the process may take a while.
4. Click OK.
5. Click Yes to confirm that you want to restore the database from the backup.
6. After the Restore from Backup window shows that the restore operation is complete,
click Close.

Note
The Close option remains unavailable until the backup is complete.

Exporting Entries to an LDIF File


The following steps explain how to use the control panel to export entries to an LDIF file.
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Select Directory Data ▶ Export LDIF.
The Export LDIF window opens. This window displays fields for specifying the LDIF
file to export and gives several export options.
3. Enter values in the fields to specify the LDIF file and the export options.
4. Click OK.

Managing Directory Data 63


5. After the Export LDIF window confirms the success of the operation, click Close.

Importing Entries
The following steps explain how to use the control panel to import entries from an LDIF
file.
1. Start the control panel. For more information, see Starting the Control Panel on
page 27.
2. Select Directory Data ▶ Import LDIF.
The Import LDIF window appears. This window displays fields for specifying the
LDIF file to import and gives several options to control the import operation.
3. Enter values in the fields to specify the LDIF file and the import options.
4. Click OK.
5. After the Import LDIF window confirms the success of the operation, click Close.

Viewing Entries
You can view entries in the control panel in three different ways:
● Simplified view (the default view)
● Attribute view
● LDIF view
The following steps explain how to change the view:
1. Open the control panel. For more information, see Starting the Control Panel on
page 27.
2. Select Directory Data ▶ Manage Entries.
The Manage Entries window opens.
3. From the View menu, select the preferred view.
For more information, see the OpenDS 1.2 wiki.

Note
Although the OpenDS wiki provides a mailing list that can be used to report problems
and ask questions, do not use the mailing list; instead, contact PTC Technical Support
for all Windchill Directory Server issues.
For information about how to contact PTC Technical Support, see Technical Support
on page 8.

64 Windchill® Directory Server Administrator's Guide


Aphelion Directory Server
A
Activities

Starting and Stopping the Aphelion Directory Server .......................................... 65


Starting and Stopping the Aphelion Directory Server with Web Tools................. 66
Manually Starting and Stopping Aphelion............................................................ 66
Exporting Existing LDAP Directory Content ........................................................ 67
Exporting LDAP Content on Windows................................................................. 67
Exporting LDAP Content on UNIX....................................................................... 68
Uninstalling Aphelion ........................................................................................... 68
Starting the LDAP Browser.................................................................................. 69
Starting Aphelion Web Tools ............................................................................... 69

This appendix provides details for Aphelion activities that are referenced in this guide.

Starting and Stopping the Aphelion


Directory Server
You can start and stop the Aphelion Directory Server by using the Aphelion Web tools or
by manually starting and stopping Aphelion.
Note
In some instances on UNIX systems, the file size limit for the Aphelion [Link] and
[Link] files can be exceeded causing the Aphelion LDAP services to stop. This
situation can occur during high volume updates (for example, migrations) to the LDAP
database. Before initiating a high volume update process, ensure that the files are located
on a disk partition that has sufficient free space to hold the files. Also, check the file
sizes and either archive or delete the files as necessary. The log files are located in the
/usr/var/lde/var/PTCLdap/[Link]/ directory. For additional information about
setting log file parameters, refer to the Aphelion documentation.

65
Starting and Stopping the Aphelion Directory Server
with Web Tools
The Aphelion Directory Server is an LDE that is named PTCLdap. The directory can be
started and stopped using the Aphelion Web tools:
1. Start and log into the Aphelion Web tools. See Starting the Aphelion Web Tools on
page 69.
2. Select LDE ▶ PTCLdap ▶ Manage. Then select Administration ▶ Processes.
The Process Administration page displays.
3. Under LDE-PTCdap, click Stop to stop the Aphelion Directory Server when it is
running and click Start to start the directory when it is stopped.

Manually Starting and Stopping Aphelion


How you manually start and stop the Aphelion Directory Server is determined by which
operating system you are using.

Starting and Stopping on Windows


The Windows Aphelion installation adds the Aphelion Administration and Aphelion
Services services, which are automatically started when the installation completes and
when your system reboots. You do not need to manually start these services. However,
if you want to manually stop and restart the services, you can do so through the Control
Panel Services dialog.

Starting and Stopping on UNIX


The UNIX Aphelion installation generates an Aphelion startup script and starts Aphelion.
For Solaris and HP-UX systems, the installation also adds the script to the system auto
startup scripts. Therefore, Aphelion processes automatically start when Solaris and
HP-UX systems are rebooted.
For AIX systems, you can manually start Aphelion after the system is rebooted or you can
add the Aphelion startup script to the auto start process.
The following sections provide the specific commands that you can use to manually
start and stop Aphelion on a UNIX system.

Solaris
To stop all Aphelion processes, run the following command:
/etc/rc2.d/S77cdsDaemon stop

To start all Aphelion processes, run the following command:


/etc/rc2.d/S77cdsDaemon start

66 Windchill® Directory Server Administrator's Guide


HP-UX
To stop all Aphelion processes, run the following command:
/sbin/rc2.d/S561cdsDaemon stop

To start all Aphelion processes, run the following command:


/sbin/rc2.d/S561cdsDaemon start

AIX
To stop Aphelion processes, run the following command to determine the PID of the
Aphelion processes:
ps -eaf | grep lde

Then, manually kill those processes that were listed.


To start all Aphelion processes, run the following command:
<aphelion_dir>/instTemp/[Link]
Where <aphelion_dir> is the directory where Aphelion is installed.

LINUX
To stop Aphelion processes, run the following command:
/etc/rc.d/rc4.d/S20Syntegra stop

To start all Aphelion processes, run the following command:


/etc/rc.d/rc4.d/S20Syntegra start

Exporting Existing LDAP Directory


Content
If you have an existing Aphelion LDAP directory, you will need to transfer that data to the
new Windchill Directory Server.
There are different instructions for Windows and UNIX. See the appropriate section.

Exporting LDAP Content on Windows


For Windows, use the following procedure to export data from an existing LDAP directory:
1. Right-click My Computer and select Manage.
2. In the left pane, expand Services and Applications and select Services.
3. Select Aphelion Services and click Stop.
4. Open a command prompt and make the Aphelion mapped drive active:
R:
5. Change directory by entering the following:
cd \usr\var\lde\PTCLdap
6. Enter the following command:
\usr\sbin\lde\[Link] -f PTCLdap_lde.conf

Aphelion Directory Server Activities 67


7. Open the Aphelion [Link] file:
R:\usr\var\lde\PTCLdap\PTCLdap_logs\[Link]
8. Verify that the export completed properly by locating the following message in the file:
Export: Export of all requested databases completed

Note
If this message has the time stamp corresponding to your export, the export was
successful; you can ignore other messages in the file.

Exporting LDAP Content on UNIX


For UNIX, use the following procedure to export data from an existing LDAP directory:
Note
In some instances on UNIX systems, the file size limit for the Aphelion [Link] and
[Link] files can be exceeded, causing the Aphelion LDAP services to stop. This
situation can occur during high volume updates (for example, migrations) to the LDAP
database. Before initiating a high volume update process, ensure that the files are located
on a disk partition that has sufficient free space to hold the files. Also, check the file
sizes and either archive or delete the files as necessary. The log files are located in the
/usr/var/lde/var/PTCLdap/[Link]/ directory. For additional information about
setting log file parameters, refer to the Aphelion documentation.
1. Stop Aphelion using the appropriate script for your platform.
2. Change the directory by entering the following:
cd /opt/lde/var/PTCLdap
3. Enter the following command:
/opt/lde/sbin/export -f ./PTCLdap_lde.conf
4. Open the Aphelion [Link] file:
/opt/lde/var/PTCLdap/PTCLdap_logs/[Link]
5. Verify that the export completed properly by locating the following message in file:
Export: Export of all requested databases completed

Note
If this message has the time stamp corresponding to your export, the export was
successful; you can ignore other messages in the file.

Uninstalling Aphelion
Caution
You must verify that Windchill Directory Server is functioning and that your existing
Aphelion data was exported before you uninstall the Aphelion Directory Server. Use the
procedure described in Verifying the Installation on page 32 to verify that Windchill
Directory Server is functioning.
If you installed the Aphelion Web Tools and are using the Apache Web server, ensure
that you have also updated the Apache configuration before uninstalling Aphelion. See
Cleaning Up Apache System Files and Uninstalling Aphelion on page 21.

68 Windchill® Directory Server Administrator's Guide


To uninstall Aphelion, perform the following:
● On Windows, select the Control Panel Add or Remove Programs option to
display your installed programs. Select the Aphelion entry from the list and click
Change/Remove.
● On UNIX, enter the following at a command prompt:
/<aphelion_dir>/UninstallerData/Uninstall_aphelion

Where <aphelion_dir>is the directory where Aphelion is installed.


Note
On Windows, the drive used by Aphelion is not unmapped when you remove the Aphelion
Directory entry.
You can unmap the drive by doing either of the following:
● Reboot your system.
● Enter the following command from a command prompt:
subst <drive_letter>: /D

For example, to unmap the R drive, enter the following command from a command
prompt:
subst R: /D

After you have uninstalled Aphelion, remove the Aphelion installation directory and all
remaining files under that directory.

Starting the LDAP Browser


An LDAP browser is a general purpose tool that allows you to view and modify the
contents of any LDAP directory.
The LDAP browser installed during the Aphelion installation can be started as follows:
● On Windows, select Start ▶ Programs ▶ LDAP Browser.
● At a UNIX command prompt, enter the following:
/<aphelion_dir>/SyntegraLDAPBrowser/[Link]

Where <aphelion_dir> is the directory where Aphelion is installed.


The LDAP browser starts and displays the Connect dialog box. To connect to the
directory installed on the same host, select localhost and click Connect. To connect to
another directory, select the corresponding name in the list.

Starting Aphelion Web Tools


To start the Aphelion Web tools, use the following URL from your browser:
[Link]
Where <hostname>is the Aphelion host and <port>is the optional port used for the Web
tools. You need to specify the port when the default port is not used.
To use the Aphelion Web tools, click Authenticate and log in. Enter the user name and
password under which you installed Aphelion.

Aphelion Directory Server Activities 69


Note
If you installed Aphelion on a Windows system using a domain user, enter the domain
name, a backslash (\), and the user name in the User field. For example, if your domain
name is "division12" and your user name is "user555", then you would enter the following:
division12\user555

If the login is successful and the tools are connected to the Aphelion Directory Server that
you installed, the following frame displays on the left side of the browser window:

In this frame, you should see the PTCLdap LDE link. This is the link to information about
your Aphelion Directory Server. For example, clicking the link displays information
similar to the following:

If the frame does not contain the PTCLdap LDE link or if your login was not successful,
verify that the user name you entered is the user under which you installed Aphelion. On a
Windows system, if that user is a domain user rather than a local user, enter the domain
name, a backslash (\), and the user name in the User field.

70 Windchill® Directory Server Administrator's Guide

Common questions

Powered by AI

To ensure compliance with password expiration policies, Windchill Directory Server configurations require setting a nonzero password-expiration-warning-interval to notify users in advance . Additionally, setting up an SMTP account status notification handler is necessary for sending these notifications. This involves configuring the SMTP server, enabling the handler, and setting the sender's address . These steps ensure users are effectively notified about password expiration and required changes .

The 'dsconfig' command in Windchill Directory Server is a tool used to manage, create, and modify configurations related to the directory service instance . It enables configurations across core server functions, database management, logging, replication, and security among others . Setting up 'dsconfig' involves using specified command-line instructions to adjust properties such as password policy configurations and setting up email notifications for password policy events . The versatility of 'dsconfig' makes it essential in ensuring the Windchill Directory Server operates efficiently and securely .

Port configuration between Aphelion and Windchill Directory Server requires careful management, especially during migration, to avoid conflicts . Aphelion uses specific port settings detailed in its configuration file, PTCLdap_lde.conf, which must be adjusted when both servers operate simultaneously to prevent clashes . Windchill Directory Server requires ensuring its port settings do not mirror those previously used by Aphelion to ensure smooth operation and access management . Proper alignment between the selected LDAP Base DN, administrative distinguished name, and related settings also ensures consistent and secure server communications .

Secure password management in Windchill Directory Server involves several properties such as 'password-change-requires-current-password' set to true, ensuring users must provide their current password when making changes . Another aspect is the 'require-secure-password-changes' property, mandating secure communication channels for password modifications . Despite these options, their implementation necessitates additional modifications to the web server, such as enabling SSL/TLS support, which aren't directly supported in default Windchill configurations, necessitating caution and technical adjustments .

Migrating from Aphelion to Windchill Directory Server involves several critical steps, starting with uninstalling Aphelion, ensuring no port conflicts, and migrating LDAP data accordingly . Potential issues may include ensuring compatibility in LDAP Base DNs between systems as older configurations or naming conventions may differ . Careful attention should be given to preserving data integrity and user credentials during the transfer, with thorough preparation needed for configuration file edits to minimize operational disruption .

Setting the 'require-secure-authentication' property enforces users to authenticate securely via mechanisms like SSL or secure SASL . The security implication is that it prevents exposure of passwords in plain text during authentication, significantly increasing data security . However, this property may not be supported if there are no modifications to the web server to enable secure communication channels, which can limit its implementation in unmodified environments .

Configuring additional Base DNs in Windchill Directory Server involves opening the control panel, selecting Directory Data for a new Base DN, and ensuring the Backend is set to userRoot . Enter the necessary Base DN, such as 'dc=com', and confirm 'Only Create Base Entry' is selected before proceeding . Adding additional Base DNs is often necessary for organizing the directory data to match specific organizational or application requirements, allowing more granular control over data storage and access .

In Windows 2008, User Account Control (UAC) settings can prevent the starting and stopping of Windchill Directory Server since UAC restricts execution permissions needed for these operations . To adjust these settings, access the UAC through the Control Panel, disable the UAC feature by unchecking 'Use User Account Control (UAC) to help protect your computer,' and then restart the system . This adjustment allows administrators to manage the server effectively without UAC impediments .

The main considerations when uninstalling the Windchill Directory Server on a Windows machine include ensuring the server is not running as a Windows service, as this must be disabled before uninstallation . Additionally, if there are entries you want to preserve, they should be exported via an LDIF file before proceeding . During the uninstallation process, confirm no control panel windows are open to prevent issues with file deletion, and manually delete any remaining files post-uninstall .

To verify a successful installation of the Windchill Directory Server, first ensure that the Windchill Directory Server control panel is running, as it must be active for verification . The next step is to use the control panel’s 'Manage Entries' option to confirm the server runs correctly and that it contains the necessary entries . Finally, run the Windchill solution to check that it begins correctly and allows user logins, which confirms the server installed accurately .

You might also like