Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jeroen_hofsteen
Partner - Contributor
Partner - Contributor
‎2018-12-13 10:16 AM

LDAPS UDC not storing users in directory

Hello Qlik people,

 

I`m currently having some trouble in setting up a LDAPS UDC in Qlik Sense (sept 18 release).

Qlik tells me the connector is working and the task runs fine.
However I`m not getting any users imported into the repository of Qlik.
So subsequently I don`t see the users appear in Sense.

What I have tried so far is:

- Leave the LDAP filter out -> no difference
- Check the windows tool "ldp.exe". I can access the right group from the same server with this tool and see the 5 users

After this I checked the log in files from the repository services.
This gave me the following message:

Retrieved 1002 entities from directory 'QLIK_SENSE_CompanyName_UD' of type Repository.UserDirectoryConnectors.LDAP.GenericLDAP.
Database done with 0 users and 1002 groups in user directory
Ended saving users in repository
Finished synchronizing all users

I made sure I unchecked the 'Sync user data for existing users' box.

I`m curious if anyone else has had this problem or if I`m missing something.
My connection details are the following:LDAPS UDC properties.png

 

Labels (2)
Labels
4,318 Views
0 Likes
1 Solution

Accepted Solutions
MichaelRobertshaw
Former Employee
Former Employee
‎2019-01-02 12:30 PM

In response to jeroen_hofsteen

In your screenshot the User Identification property is name. This should be an objectClass that defines the collection (schema) of attributes that a user has. The default value is inetOrgPerson and is probably still correct. If no objects of objectClass name are found then that probably explains why no Users are synchronised. 

I suggest that the Directory Entry Attributes you should configure are: 

  • Type: objectClass
  • User identification: inetOrgPerson
  • Group identification: group
  • Account name: sAMAccountName
  • Email: mail
  • Display name: displayName or cn
  • Group membership: memberOf  - this determines membership from an array of Group DNs on the User object
  • Members of directory entry: <empty> - determines membership from an array of User DNs on the Group object

Guessing between the lines a bit, I suspect you want to sync only users who are members of a particular group, or only users and groups that reside in a particular container within your Directory. The first objective may be possible with a sophisticated LDAP filter, and the second simply by adding the Base Distinguished Name to the Path property of the Connection. 

View solution in original post

4,007 Views
10 Replies
Levi_Turner
Employee
Employee
‎2018-12-13 10:39 AM

This is with AD, but the same principle applies. Can you use a tool like LDAP Explorer to ensure that you are mapping the right elements to identify users and groups? See attached for reference.

Preview file
335 KB
4,077 Views
jeroen_hofsteen
Partner - Contributor
Partner - Contributor
‎2018-12-13 10:57 AM
Author

In response to Levi_Turner

Thank you Ltu for your quick reply.
Are the correct attributes still necessary even if I`m trying to extract all the users from the directory (so no LDAP filter active)? I`ll give the LDAP Explorer tool a try to see if the attributes match.

4,069 Views
0 Likes
Levi_Turner
Employee
Employee
‎2018-12-13 11:05 AM

In response to jeroen_hofsteen

For the LDAP connector? Yes. You need to tell it how to identify what a user is and what a group is. The AD Connector uses the AD standard for such things so there's no additional config. But given the diversity in LDAP sources, you will need to tell it how to identify users and groups.

4,063 Views
0 Likes
MichaelRobertshaw
Former Employee
Former Employee
‎2018-12-13 02:01 PM

What is the objective are you trying to achieve with your LDAP filter, as it doesn't look correctly formed. Also, in the Attribute Mapping below, specify only one of "Group membership" or "Members of directory entry" as per https://help.qlik.com/en-US/sense/September2018/Subsystems/ManagementConsole/Content/Sense_QMC/user-...
4,056 Views
0 Likes
jeroen_hofsteen
Partner - Contributor
Partner - Contributor
‎2018-12-14 09:48 AM
Author

In response to MichaelRobertshaw

Thank you for the responses.
I`m currently looking into getting the right attribute values.
Hopefully that is the solution.

4,044 Views
0 Likes
jeroen_hofsteen
Partner - Contributor
Partner - Contributor
‎2019-01-02 05:15 AM
Author

In response to jeroen_hofsteen

 So I got the attributes from the system administrator of the organisation.
However, even with these attributes filled in I still get the same error message and no users in Sense.
Sense keep giving back the message:

"Server\Qlik_Sense_service_account Database done with 0 users and 1002 groups in user directory (DOMEIN.LOCAL, a7cdba62-feeb-47b7-b6cf-78143bc97253)".

This happens with and without the filter used. Now I`m using a different account to read out the directory then the service account Qlik Sense is using. The reason is that the two servers are in different domains (both on different cloud platforms).
Could this be the reason that Qlik sees the entities in the directory but is unable to read-out the users?

I`m really a bit of a loss here since Sense keeps giving me back the same message while the UDC connector jobs keeps running fine without actually giving me the users. Any help is appreciated!

Screenshot of current LDAPS attributes:

 

 

Preview file
23 KB
4,018 Views
0 Likes
MichaelRobertshaw
Former Employee
Former Employee
‎2019-01-02 12:30 PM

In response to jeroen_hofsteen

In your screenshot the User Identification property is name. This should be an objectClass that defines the collection (schema) of attributes that a user has. The default value is inetOrgPerson and is probably still correct. If no objects of objectClass name are found then that probably explains why no Users are synchronised. 

I suggest that the Directory Entry Attributes you should configure are: 

  • Type: objectClass
  • User identification: inetOrgPerson
  • Group identification: group
  • Account name: sAMAccountName
  • Email: mail
  • Display name: displayName or cn
  • Group membership: memberOf  - this determines membership from an array of Group DNs on the User object
  • Members of directory entry: <empty> - determines membership from an array of User DNs on the Group object

Guessing between the lines a bit, I suspect you want to sync only users who are members of a particular group, or only users and groups that reside in a particular container within your Directory. The first objective may be possible with a sophisticated LDAP filter, and the second simply by adding the Base Distinguished Name to the Path property of the Connection. 

4,008 Views
jeroen_hofsteen
Partner - Contributor
Partner - Contributor
‎2019-01-10 03:35 AM
Author

In response to MichaelRobertshaw

Thank you for your response Michael.

I solved the issue with by setting the attribute "User Identification" to person.
This together with a different LDAP syntax for the group filter.

Also a good tip for anyone trying to import users.
Starting the user sync task from the task menu is NOT the same as starting the sync action from the User directory menu.
Starting the task from tasks didn`t give me the users. Starting the sync action from the UDC menu did.

 

3,984 Views
0 Likes
Luna
Contributor
Contributor
‎2019-02-27 06:51 AM

In response to Levi_Turner

Just wanted to say that this was most helpful. 😃 
I knew I had to map it, but some parts left me stumped. 

Thanks a lot 😃

3,916 Views
0 Likes