Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
This article goes over how to use LDAP filters and common examples when setting up Qlik Sense User Directory Connector (UDC).
Note: Qlik Support has no scope in assisting in composing an LDAP filter that fits the environment needs. If further assistance is needed please see How and When to Contact the Consulting Team? AD and Qlik Sense must be within the same Domain. If different domains refer to this article Users of a different Active Directory, but with membership to a group in the same Domain as the Qlik...
Environment:
- Qlik Sense Enterprise on Windows, all versions
Resolution:
Click here for Video Transcript
Notes:
- Although this article is using AD as an example, it should also apply to other Directory Services that are compatible with LDAP
- Although this example only filters users based on one single Group, more complicated filters are also supported in Qlik Sense. Please make sure the filter returns desired result before applying it to Directory Connector.
1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:
2. Recommended: Mark all RootAdmins as Delete Prohibited to prevent locking oneself out of the QMC, see How to avoid the RootAdmin(s) from becoming inactive
3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.
4. On the Windows Server, open the Server Manager:
5. Click on Manage then Add Roles and Features:
6. If Before You Begin is displayed, click Next
7. On Installation Type, select Role-based or feature-based installation:
8. On Server Selection, select the server that you are working with
9. Next navigate to Features, and select the Active Directory Administrative Center option:
10. Confirm that this is the feature(s) that you want to install and allow the installation to complete
11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module
12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:
13. In the Find section select Custom Search:
14. Write out your potential LDAP filter and ensure that it selects all the expected users:
15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:
16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.
17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:
Some common filters:
- All users: (&(objectCategory=person)(objectClass=user))
- Caution: do NOT use this filter on an LDAP with a lot of users. Too many users loaded to Qlik Sense could cause performance problem and once they are imported it will be difficult to remove them.
- All users in a specific group: (&(objectClass=user)((memberOf:1.2.840.113556.1.4.1941:=CN=NameOfTheGroup,CN=Users,DC=domain,DC=local)))
- User with a specific natural name: (&(objectCategory=person)(objectClass=user)(CN=FirstName LastName))
- For example, if a user is called John Doe, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(CN=John Doe))
- User with a specific login name: (&(objectCategory=person)(objectClass=user)(sAMAccountName=LoginName))
- For example, if John Doe's login name is DOMAIN\JDOE in the system, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(sAMAccountName=jdoe))
- The filter used by QlikView Active Directory Connector when performing a user search(replace KEYWORD with actual search phrase):
- (&(|(name=KEYWORD)(sAMAccountName=KEYWORD))(&(!(objectclass=computer))(objectGUID=*))(|(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))(|(objectClass=User)(objectClass=person))))
Related Content:
-
Qlik Sense: How to connect to AD using "Active Directory" UDC
-
How to get LDAP filters for Active Directory groups from users already in Qlik Sense
-
LDAP filter to only include all users in a certain Organizational Unit (OU) into Qlik Sense
-
Retrieve OU (Organizational Unit) users from Active Directory LDAP Filter
-
Video: Qlik Sense Platform - Qlik Management Console - User Directory Connector - Part 5
-
ADSI - Search Filter Syntax - Extended match operator / Nested groups rule
.png "Former Employee"){kind=icon}