Description
This TPI addresses Aphelion vulnerabilities for disallowing anonymous Aphelion LDAP access. The access control on Aphelion LDAP directory can be set with various ways. For additional detail, please refer to Access control section in the Aphelion Admin Guide. Starting with a functional working Windchill solution with Apache and Aphelion LDAP installed. In the example below two users are defined, one user can read/write in the directory i.e aphelionadmin and other one has only read access i.e. windchilluser. When the directory is accessed on behalf of the Windchill system or as an Administrator the write user is used. Otherwise, the read only user is used.
Resolution
For Windchill 7.0 solutions see Additional Information below.
For Windchill 8.0 solutions refer to the section "Restricting Access to Aphelion" found in the Info*Engine Installation and Configuration Guide.
For Windchill 8.0 solutions refer to the section "Restricting Access to Aphelion" found in the Info*Engine Installation and Configuration Guide.
Additional Information
The following are the main steps:
Step 1-> Use the Windchill Principal Administrator to define two users or use the LDAP Browser to
define two users. Create users:
Here mymachine is the distinguished name and mycompany is machine name derived from network domain. These users must have a password defined in their entry. Here we are using passwd admin and user for ahelionadmin and windchilluser respectively.
Step 2-> Add the aphelionadmin user to the Administrators group with the Principal Administrator.
Step 3-> Modify <WT_HOME>/tasks/federation/MapCredentials.xml and add the users as shown in
the snippet below.
<ie:webject name="Create-Group" type="GRP">
</ie:webject>
Step 4 -> Add the windchilluser to Apache configuration. For this example, this allows apache to access the directory in read only mode. Please make changes to <Apache loadpoint>/conf/app-Windchill.properties file for following lines:
apacheWebApp.bindDn=uid\=windchilluser,ou\=people,cn\=mymachine,cn\=application services,o\=mycompany
apacheWebApp.anonBind=false
apacheWebApp.bindPwd=user
From a shell, from the <Apache loadpoint> run:
ant -f webAppConfig.xml regenAllWebApps to regenerate the app-Windchill-Auth.conf file.
This will set the user and password that Apache uses to bind to the directory to search for users during authentication.
Step 5-> Change the properties ie.ldap.managerDn and ie.ldap.managerPw in the site.xconf file and propagate the changes. ie.ldap.managerDn should be set to the user with write permision. Using command:
Step 6 -> Make following changes in <Aphelion>\usr\var\lde\PTCLdap\PTCLdap_lde.conf to set access control for Aphelion Directory. (For UNIX, this path is /opt/lde/var/PTCLdap/PTCLdap_lde.conf)
a. Comment following line to allow anonymous access
#anonymous_access_allowed on
b. Uncomment line below
anonymous_access_allowed false
For disallowing access to config, monitor, and schema, uncomment following lines.
access to dn=config by * none
access to dn=.*,cn=monitor by * none
access to dn=schema by * none
access to dn=config by dn=cn=Manager write
access to dn=.*,cn=monitor by dn=cn=Manager write
access to dn=schema by dn=cn=Manager write
c. Change the following line to reflect the specific distinguished name (for example, aphelionadmin) that you want to use for write access:
access to dn=.*cn=Application Services,o=mycompany" by "dn=uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" write
d. Change the following line to reflect the specific distinguished name (for example, windchilluser) that you want to use for read access:
access to "dn=.*cn=mymachine,cn=application services,o=mycompany" by "dn=uid=windchilluser,ou=people,cn=mymachine,cn=Application Services,o=mycompany" read
After making the changes restart Apache, Aphelion, and Windchill. To verify, login to LDAP browser using "Anonymous bind" checked, the login should fail. Only the user with valid access right will be allowed to login. This disallows anonymous access to the directory.
Step 1-> Use the Windchill Principal Administrator to define two users or use the LDAP Browser to
define two users. Create users:
uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany and uid=windchilluser,ou=people,cn= mymachine,cn=application services,o=mycompany
Here mymachine is the distinguished name and mycompany is machine name derived from network domain. These users must have a password defined in their entry. Here we are using passwd admin and user for ahelionadmin and windchilluser respectively.
Step 2-> Add the aphelionadmin user to the Administrators group with the Principal Administrator.
Step 3-> Modify <WT_HOME>/tasks/federation/MapCredentials.xml and add the users as shown in
the snippet below.
<ie:webject name="Create-Group" type="GRP">
<% if ( isAdmin ) { %> <!------------------------------------------------------------------ Create a credentials map for users with administrative privileges ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap:DBUSER=uid=aphelionadmin,ou=people,cn=mymach ine,cn=application services,o=mycompany:PASSWD=admin"/> <!------------------------------------------------------------------ PendingUserAdapter ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap-pending:DBUSER=uid=aphelionadmin,ou=people,c n=mymachine,cn=application services,o=mycompany:PASSWD=admin"/> <!------------------------------------------------------------------ ------------------------------------------------------------------> <% } else { %> <!------------------------------------------------------------------ Create a credentials map for non-privileged users ------------------------------------------------------------------> <ie:param name="element" data="INSTANCE=com.ptc.ptcnet.Ldap:DBUSER=uid=windchilluser,ou=people,cn=mymach ine,cn=application services,o=mycompany:PASSWD=user"/> <% } %><ie:param name="delimiter" data=":"/> <ie:param name="group_out" data="map"/>
</ie:webject>
Step 4 -> Add the windchilluser to Apache configuration. For this example, this allows apache to access the directory in read only mode. Please make changes to <Apache loadpoint>/conf/app-Windchill.properties file for following lines:
apacheWebApp.bindDn=uid\=windchilluser,ou\=people,cn\=mymachine,cn\=application services,o\=mycompany
apacheWebApp.anonBind=false
apacheWebApp.bindPwd=user
From a shell, from the <Apache loadpoint> run:
ant -f webAppConfig.xml regenAllWebApps to regenerate the app-Windchill-Auth.conf file.
This will set the user and password that Apache uses to bind to the directory to search for users during authentication.
Step 5-> Change the properties ie.ldap.managerDn and ie.ldap.managerPw in the site.xconf file and propagate the changes. ie.ldap.managerDn should be set to the user with write permision. Using command:
xconfmanager -t "codebase/WEB-INF/ieStructProperties.txt" -s "ie.ldap.managerDn=uid= aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" -s "ie.ld ap.managerPw=admin" -p
Step 6 -> Make following changes in <Aphelion>\usr\var\lde\PTCLdap\PTCLdap_lde.conf to set access control for Aphelion Directory. (For UNIX, this path is /opt/lde/var/PTCLdap/PTCLdap_lde.conf)
a. Comment following line to allow anonymous access
#anonymous_access_allowed on
b. Uncomment line below
anonymous_access_allowed false
For disallowing access to config, monitor, and schema, uncomment following lines.
access to dn=config by * none
access to dn=.*,cn=monitor by * none
access to dn=schema by * none
access to dn=config by dn=cn=Manager write
access to dn=.*,cn=monitor by dn=cn=Manager write
access to dn=schema by dn=cn=Manager write
c. Change the following line to reflect the specific distinguished name (for example, aphelionadmin) that you want to use for write access:
access to dn=.*cn=Application Services,o=mycompany" by "dn=uid=aphelionadmin,ou=people,cn=mymachine,cn=application services,o=mycompany" write
d. Change the following line to reflect the specific distinguished name (for example, windchilluser) that you want to use for read access:
access to "dn=.*cn=mymachine,cn=application services,o=mycompany" by "dn=uid=windchilluser,ou=people,cn=mymachine,cn=Application Services,o=mycompany" read
After making the changes restart Apache, Aphelion, and Windchill. To verify, login to LDAP browser using "Anonymous bind" checked, the login should fail. Only the user with valid access right will be allowed to login. This disallows anonymous access to the directory.