https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172009#M1281997 <HTML><HEAD></HEAD><BODY><P>Jeff and Sylvia,</P><P></P><P>The solution is somewhat complex because of the differences between AD's group authentication and Tivoli's. Essentially, there are 2 problems: (1) there is no equivalent to a sAMAccountName in Tivoli that would exist as an attribute on both User and Group nodes; the QDS attempts to lookup an attribute that would exist at both levels, and is unable to find it; and (2) Distinguished Names are not actually stored in Tivoli; the Distinguished Name attribute exists, but is reserved by the system so that it can be auto-populated on-demand; the QDS attempts to reference a group's distinguished name but is not able to.</P><P></P><P>I'm not sure how to modify the Tivoli schema itself, so this solution makes use of 2 fields that I am assuming are currently not populated: (1) description and (2) mobile.</P><P></P><OL><LI>For each <SPAN style="text-decoration: underline;"><STRONG>user</STRONG></SPAN>, Tivoli stores group memberships in hidden attributes called "<EM>ibm-allgroups</EM>" which are the equivalent to "<EM>memberof</EM>" in Active Directory. Unfortunately, the values of these attributes are stored in distinguished format (e.g. cn=mygroup,cn=SecurityGroups,secAuthority=Default). Create a new rule in Tivoli that will take just the "<EM>mygroup</EM>" part of the value and store it in attribute "<EM>mobile</EM>." You should create a <EM>mobile </EM>attribute for each instance of "<EM>ibm-allgroups</EM>" for each <SPAN style="text-decoration: underline;"><STRONG>user</STRONG></SPAN>.</LI><LI>For both user <STRONG style="text-decoration: underline;">and</STRONG> groups, we need to create an attribute that simulates a sAMAccountName. We will populate the attribute "<EM>description</EM>" with this. So if you have a group whose ID is "<EM>qlikview_group1</EM>" and a user whose UID is "<EM>qv_user1</EM>", create a Tivoli rule that sets the group's "<EM>description</EM>" attribute to "<EM>qlikview_group1</EM>" and the user's "<EM>description</EM>" attribute to "<EM>qv_user1</EM>." Propogate these changes for all users and groups.</LI><LI>In QlikView, create a Configurable LDAP DSC in QEMC &gt;&gt; System &gt;&gt; Directory Service Connectors. Enter the proper credentials (although I'm assuming this is already working for you since you can authorize usernames). Enter the following settings:<BR /><IMG alt="tivoli group settings.png" class="jive-image-thumbnail jive-image" onclick="" src="https://community.qlik.com/legacyfs/online/8651_tivoli+group+settings.png" width="450" /></LI><LI>That's it! You can now authorize groups on documents. In the Document Authorization tab, groups can either be browsed to in the usual way or simply entered in the format: <EM>tivoli\groupname</EM></LI></OL><P></P><P>Cheers,</P><P>Vlad</P></BODY></HTML> Tue, 15 Nov 2011 23:48:47 GMT vgutkovsky 2011-11-15T23:48:47Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172004#M1281983 <HTML><HEAD></HEAD><BODY><P>We are currently using a Tivoli Web Proxy to validate users, then passing that validated username to Qlikview Server (v10) in the http header. Because we are going to have 50 initial users (and potentially many more going forward) I was trying to set up a configurable LDAP connection back to an LDAP directory on our Tivoli machine to look up group assignments. The goal would be to assign group names to Qlikview documents and opposed to 50 individual usernames, but I can't get the group name to pull back.</P></BODY></HTML> Mon, 26 Jan 2026 18:19:17 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172004#M1281983 2026-01-26T18:19:17Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172005#M1281984 <HTML><HEAD></HEAD><BODY><P>It almost appears as if I have a setting wrong and DSC isn't even being used. When we configure the connection, it polls the Tivoli machine without issue. However, when we log on as a user through the web I don't see anything that attempts to then get a group name based on the user id (we are using DMS authorization).</P><P>I've been reading through the server documentation and so far haven't found a location to 'turn on" our configured DSC - what am I missing? Does our web proxy need to pass the http string to the DSC url as opposed to the standard server url?</P></BODY></HTML> Fri, 21 Jan 2011 23:16:30 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172005#M1281984 2011-01-21T23:16:30Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172006#M1281988 <HTML><HEAD></HEAD><BODY><P>So, was able to get the directory service connector working by specifying the 'Directory Label' in the settings as the name of the QlikView Directory Service. Now it loads the connector dll's, although are still having issues looking up group names that are associated with the actual users.</P></BODY></HTML> Tue, 25 Jan 2011 22:27:22 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172006#M1281988 2011-01-25T22:27:22Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172007#M1281991 <HTML><HEAD></HEAD><BODY><P>Hi Jeff,</P><P>Are you able to find any solution for reading the individual user name from the group user name in TDS?</P><P>We have similar problem here.</P><P></P><P>Thanks,</P><P>Silvia</P></BODY></HTML> Wed, 09 Mar 2011 06:57:30 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172007#M1281991 2011-03-09T06:57:30Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172008#M1281995 <HTML><HEAD></HEAD><BODY><P>I haven't yet. We are in the process of setting up our development environment, and when complete (next two weeks) I'm planning on engaging a QlikView consultant to help take a look at it.</P></BODY></HTML> Wed, 09 Mar 2011 13:52:16 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172008#M1281995 2011-03-09T13:52:16Z https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172009#M1281997 <HTML><HEAD></HEAD><BODY><P>Jeff and Sylvia,</P><P></P><P>The solution is somewhat complex because of the differences between AD's group authentication and Tivoli's. Essentially, there are 2 problems: (1) there is no equivalent to a sAMAccountName in Tivoli that would exist as an attribute on both User and Group nodes; the QDS attempts to lookup an attribute that would exist at both levels, and is unable to find it; and (2) Distinguished Names are not actually stored in Tivoli; the Distinguished Name attribute exists, but is reserved by the system so that it can be auto-populated on-demand; the QDS attempts to reference a group's distinguished name but is not able to.</P><P></P><P>I'm not sure how to modify the Tivoli schema itself, so this solution makes use of 2 fields that I am assuming are currently not populated: (1) description and (2) mobile.</P><P></P><OL><LI>For each <SPAN style="text-decoration: underline;"><STRONG>user</STRONG></SPAN>, Tivoli stores group memberships in hidden attributes called "<EM>ibm-allgroups</EM>" which are the equivalent to "<EM>memberof</EM>" in Active Directory. Unfortunately, the values of these attributes are stored in distinguished format (e.g. cn=mygroup,cn=SecurityGroups,secAuthority=Default). Create a new rule in Tivoli that will take just the "<EM>mygroup</EM>" part of the value and store it in attribute "<EM>mobile</EM>." You should create a <EM>mobile </EM>attribute for each instance of "<EM>ibm-allgroups</EM>" for each <SPAN style="text-decoration: underline;"><STRONG>user</STRONG></SPAN>.</LI><LI>For both user <STRONG style="text-decoration: underline;">and</STRONG> groups, we need to create an attribute that simulates a sAMAccountName. We will populate the attribute "<EM>description</EM>" with this. So if you have a group whose ID is "<EM>qlikview_group1</EM>" and a user whose UID is "<EM>qv_user1</EM>", create a Tivoli rule that sets the group's "<EM>description</EM>" attribute to "<EM>qlikview_group1</EM>" and the user's "<EM>description</EM>" attribute to "<EM>qv_user1</EM>." Propogate these changes for all users and groups.</LI><LI>In QlikView, create a Configurable LDAP DSC in QEMC &gt;&gt; System &gt;&gt; Directory Service Connectors. Enter the proper credentials (although I'm assuming this is already working for you since you can authorize usernames). Enter the following settings:<BR /><IMG alt="tivoli group settings.png" class="jive-image-thumbnail jive-image" onclick="" src="https://community.qlik.com/legacyfs/online/8651_tivoli+group+settings.png" width="450" /></LI><LI>That's it! You can now authorize groups on documents. In the Document Authorization tab, groups can either be browsed to in the usual way or simply entered in the format: <EM>tivoli\groupname</EM></LI></OL><P></P><P>Cheers,</P><P>Vlad</P></BODY></HTML> Tue, 15 Nov 2011 23:48:47 GMT https://community.qlik.com/t5/QlikView/Configurable-LDAP-to-Tivoli-From-QV-Server-10/m-p/172009#M1281997 vgutkovsky 2011-11-15T23:48:47Z