https://community.qlik.com/t5/Official-Support-Articles/How-to-connect-to-Active-Directory-using-the-Generic-LDAP/ta-p/1713842 <P>In the standard Active Directory Connector, it is not possible to specify the branch or sub directory to limit searches to.&nbsp;But the Generic LDAP connector can be configured to do connect to Active Directory and specifying a subdirectory.<BR /><BR />Also using Generic LDAP connector makes it possible to set an alias for domain. In a rare situation that a domain called "Internal" can only be connected by Generic LDAP due to naming conflict.</P> <P>&nbsp;</P> <H3 class="qlik-migrated-tkb-headings">Resolution:</H3> <P>&nbsp;</P> <OL> <LI>Before setting up UDC, 3 pieces of information are required: <UL> <LI>Path</LI> <LI>User name</LI> <LI>LDAP Filter</LI> </UL> </LI> <LI>It is convenient to use a 3rd party tool called <A href="http://www.ldapadmin.org" target="_blank" rel="noopener">LDAP Admin</A>" to prepare the above 3 pieces of information</LI> <LI>Once LDAP Admin is downloaded and run, make a connection to the existing Active Directory. Domain Admin may need to be involved in order to get this step done.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="connection properties.jpeg" style="width: 456px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45230i28F0F67A23D73899/image-size/large?v=v2&amp;px=999" role="button" title="connection properties.jpeg" alt="connection properties.jpeg" /></span><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="connection is successful.jpeg" style="width: 241px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45231i26AD4271A2F1EFCE/image-size/large?v=v2&amp;px=999" role="button" title="connection is successful.jpeg" alt="connection is successful.jpeg" /></span><BR /><BR /><BR /></LI> <LI>Once connected, go to <STRONG>Edit</STRONG> &gt; <STRONG>Search</STRONG> &gt; <STRONG>Custom</STRONG></LI> <LI>In the <STRONG>Search</STRONG>&nbsp;Window, make sure&nbsp;&nbsp;<STRONG>Path&nbsp;</STRONG>is set to root base. Use the&nbsp;<STRONG>Browse</STRONG>&nbsp;button if necessary.</LI> <LI>Create a filter so that only limited number of users are fetched. In the sample below, only 16 users are fetched by using the predefined filter. Please consult Domain Admin about how to construct an LDAP filter.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="create filter.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45232i6C8C81FB78AD01F2/image-size/large?v=v2&amp;px=999" role="button" title="create filter.jpeg" alt="create filter.jpeg" /></span> <P> </P> </LI> <LI>Now the 3 pieces of information are confirmed and tested. We can start building the Generic LDAP connector.</LI> <LI><STRONG>[VERY IMPORTANT]&nbsp;Before moving forward, confirm if there is any RootAdmin assigned to a domain user in Qlik Sense.</STRONG> <OL class="lia-list-style-type-lower-alpha"> <LI>If there is, make sure that user appears in the search result of above filter otherwise it will be marked as inactive and could potentially lock users out from QMC.</LI> <LI>Also, follow&nbsp;<A href="https://community.qlik.com/t5/Support-Knowledge-Base/How-to-avoid-the-RootAdmin-s-from-becoming-inactive/ta-p/1715558" target="_blank" rel="noopener">How to avoid the RootAdmin(s) from becoming inactive</A>. But this step should not be relied on so please still make sure the filter fetches current RootAdmin.</LI> </OL> </LI> <LI>Go to QMC and create a Generic LDAP connector as per our example: <OL class="lia-list-style-type-lower-alpha"> <LI>Uncheck&nbsp;<STRONG>User Sync Settings&nbsp;</STRONG></LI> <LI>Fill out: <BR /><STRONG>User Directory name</STRONG><BR /><STRONG>Path</STRONG> (such as <FONT face="courier new,courier">LDAP://servername/DC=qliktech,DC=com</FONT><BR /><STRONG>Username</STRONG> and <STRONG>Password</STRONG> of the user used in the previous steps</LI> <LI>Fill out the&nbsp;<STRONG>Additional LDAP filter&nbsp;</STRONG>as created in the previous steps<BR />We leave timeout and page size for search at default values.&nbsp;</LI> <LI>Leave&nbsp;<STRONG>Directory Entry Attributes&nbsp;</STRONG>default except for changing&nbsp;<STRONG>User identification&nbsp;</STRONG>to&nbsp;<FONT face="courier new,courier"><FONT face="courier new,courier"><STRONG>person<BR /><BR /></STRONG></FONT></FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user directory connector edit.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45234iBCDC3A03C2B30A41/image-size/large?v=v2&amp;px=999" role="button" title="user directory connector edit.jpeg" alt="user directory connector edit.jpeg" /></span> <P>&nbsp;</P> </LI> </OL> </LI> <LI>Once this is complete, initiate a Sync and ensure all users were fetched:&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user list.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45235iF01667DA74F5C52F/image-size/large?v=v2&amp;px=999" role="button" title="user list.jpeg" alt="user list.jpeg" /></span> <P> </P> </LI> </OL> Fri, 04 Dec 2020 11:22:36 GMT Sonja_Bauernfeind 2020-12-04T11:22:36Z https://community.qlik.com/t5/Official-Support-Articles/How-to-connect-to-Active-Directory-using-the-Generic-LDAP/ta-p/1713842 <P>In the standard Active Directory Connector, it is not possible to specify the branch or sub directory to limit searches to.&nbsp;But the Generic LDAP connector can be configured to do connect to Active Directory and specifying a subdirectory.<BR /><BR />Also using Generic LDAP connector makes it possible to set an alias for domain. In a rare situation that a domain called "Internal" can only be connected by Generic LDAP due to naming conflict.</P> <P>&nbsp;</P> <H3 class="qlik-migrated-tkb-headings">Resolution:</H3> <P>&nbsp;</P> <OL> <LI>Before setting up UDC, 3 pieces of information are required: <UL> <LI>Path</LI> <LI>User name</LI> <LI>LDAP Filter</LI> </UL> </LI> <LI>It is convenient to use a 3rd party tool called <A href="http://www.ldapadmin.org" target="_blank" rel="noopener">LDAP Admin</A>" to prepare the above 3 pieces of information</LI> <LI>Once LDAP Admin is downloaded and run, make a connection to the existing Active Directory. Domain Admin may need to be involved in order to get this step done.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="connection properties.jpeg" style="width: 456px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45230i28F0F67A23D73899/image-size/large?v=v2&amp;px=999" role="button" title="connection properties.jpeg" alt="connection properties.jpeg" /></span><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="connection is successful.jpeg" style="width: 241px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45231i26AD4271A2F1EFCE/image-size/large?v=v2&amp;px=999" role="button" title="connection is successful.jpeg" alt="connection is successful.jpeg" /></span><BR /><BR /><BR /></LI> <LI>Once connected, go to <STRONG>Edit</STRONG> &gt; <STRONG>Search</STRONG> &gt; <STRONG>Custom</STRONG></LI> <LI>In the <STRONG>Search</STRONG>&nbsp;Window, make sure&nbsp;&nbsp;<STRONG>Path&nbsp;</STRONG>is set to root base. Use the&nbsp;<STRONG>Browse</STRONG>&nbsp;button if necessary.</LI> <LI>Create a filter so that only limited number of users are fetched. In the sample below, only 16 users are fetched by using the predefined filter. Please consult Domain Admin about how to construct an LDAP filter.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="create filter.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45232i6C8C81FB78AD01F2/image-size/large?v=v2&amp;px=999" role="button" title="create filter.jpeg" alt="create filter.jpeg" /></span> <P> </P> </LI> <LI>Now the 3 pieces of information are confirmed and tested. We can start building the Generic LDAP connector.</LI> <LI><STRONG>[VERY IMPORTANT]&nbsp;Before moving forward, confirm if there is any RootAdmin assigned to a domain user in Qlik Sense.</STRONG> <OL class="lia-list-style-type-lower-alpha"> <LI>If there is, make sure that user appears in the search result of above filter otherwise it will be marked as inactive and could potentially lock users out from QMC.</LI> <LI>Also, follow&nbsp;<A href="https://community.qlik.com/t5/Support-Knowledge-Base/How-to-avoid-the-RootAdmin-s-from-becoming-inactive/ta-p/1715558" target="_blank" rel="noopener">How to avoid the RootAdmin(s) from becoming inactive</A>. But this step should not be relied on so please still make sure the filter fetches current RootAdmin.</LI> </OL> </LI> <LI>Go to QMC and create a Generic LDAP connector as per our example: <OL class="lia-list-style-type-lower-alpha"> <LI>Uncheck&nbsp;<STRONG>User Sync Settings&nbsp;</STRONG></LI> <LI>Fill out: <BR /><STRONG>User Directory name</STRONG><BR /><STRONG>Path</STRONG> (such as <FONT face="courier new,courier">LDAP://servername/DC=qliktech,DC=com</FONT><BR /><STRONG>Username</STRONG> and <STRONG>Password</STRONG> of the user used in the previous steps</LI> <LI>Fill out the&nbsp;<STRONG>Additional LDAP filter&nbsp;</STRONG>as created in the previous steps<BR />We leave timeout and page size for search at default values.&nbsp;</LI> <LI>Leave&nbsp;<STRONG>Directory Entry Attributes&nbsp;</STRONG>default except for changing&nbsp;<STRONG>User identification&nbsp;</STRONG>to&nbsp;<FONT face="courier new,courier"><FONT face="courier new,courier"><STRONG>person<BR /><BR /></STRONG></FONT></FONT><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user directory connector edit.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45234iBCDC3A03C2B30A41/image-size/large?v=v2&amp;px=999" role="button" title="user directory connector edit.jpeg" alt="user directory connector edit.jpeg" /></span> <P>&nbsp;</P> </LI> </OL> </LI> <LI>Once this is complete, initiate a Sync and ensure all users were fetched:&nbsp;<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="user list.jpeg" style="width: 999px;"><img src="https://community.qlik.com/t5/image/serverpage/image-id/45235iF01667DA74F5C52F/image-size/large?v=v2&amp;px=999" role="button" title="user list.jpeg" alt="user list.jpeg" /></span> <P> </P> </LI> </OL> Fri, 04 Dec 2020 11:22:36 GMT https://community.qlik.com/t5/Official-Support-Articles/How-to-connect-to-Active-Directory-using-the-Generic-LDAP/ta-p/1713842 Sonja_Bauernfeind 2020-12-04T11:22:36Z