Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

Andre_Sostizzo — Mon, 21 Jun 2021 17:20:17 GMT

This article goes over how to use LDAP filters and common examples when setting up Qlik Sense User Directory Connector (UDC).

Note: Qlik Support has no scope in assisting in composing an LDAP filter that fits the environment needs. If further assistance is needed please see How and When to Contact the Consulting Team? AD and Qlik Sense must be within the same Domain. If different domains refer to this article Users of a different Active Directory, but with membership to a group in the same Domain as the QlikSense server, are not synced

Environment:

Qlik Sense Enterprise on Windows, all versions

Resolution:

Click here for Video Transcript

Notes:

Although this article is using AD as an example, it should also apply to other Directory Services that are compatible with LDAP
Although this example only filters users based on one single Group, more complicated filters are also supported in Qlik Sense. Please make sure the filter returns desired result before applying it to Directory Connector.

1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:

2. Recommended: Mark all RootAdmins as Delete Prohibited to prevent locking oneself out of the QMC, see How to avoid the RootAdmin(s) from becoming inactive

3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.

4. On the Windows Server, open the Server Manager:

5. Click on Manage then Add Roles and Features:

6. If Before You Begin is displayed, click Next

7. On Installation Type, select Role-based or feature-based installation:

8. On Server Selection, select the server that you are working with

9. Next navigate to Features, and select the Active Directory Administrative Center option:

10. Confirm that this is the feature(s) that you want to install and allow the installation to complete

11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module

12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:

13. In the Find section select Custom Search:

14. Write out your potential LDAP filter and ensure that it selects all the expected users:

15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:

16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.

17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:

Some common filters:

All users: (&(objectCategory=person)(objectClass=user))
- Caution: do NOT use this filter on an LDAP with a lot of users. Too many users loaded to Qlik Sense could cause performance problem and once they are imported it will be difficult to remove them.
All users in a specific group: (&(objectClass=user)((memberOf:1.2.840.113556.1.4.1941:=CN=NameOfTheGroup,CN=Users,DC=domain,DC=local)))
User with a specific natural name: (&(objectCategory=person)(objectClass=user)(CN=FirstName LastName))
- For example, if a user is called John Doe, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(CN=John Doe))
User with a specific login name: (&(objectCategory=person)(objectClass=user)(sAMAccountName=LoginName))
- For example, if John Doe's login name is DOMAIN\JDOE in the system, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(sAMAccountName=jdoe))
The filter used by QlikView Active Directory Connector when performing a user search(replace KEYWORD with actual search phrase):
- (&(|(name=KEYWORD)(sAMAccountName=KEYWORD))(&(!(objectclass=computer))(objectGUID=*))(|(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))(|(objectClass=User)(objectClass=person))))

Re: Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

sanjeev_gupta10 — Thu, 04 Apr 2024 11:01:30 GMT

Hi,

Please follow the below steps

1. Create a Security Group (like Data Analytics) and add those users.

2. Navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:

Additional LDAP Filer :- (memberOf=CN=Data Analytics,OU=Qlik,DC=ABC,DC=local)

Thanks

Sanjeev Gupta

article Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector in Official Support Articles

Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

Environment:

Resolution:

Some common filters:

Related Content:

Re: Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector