Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Why are my users being deactivated externally?

I've got an installation of Qlik Server 3.2.4 with following LDAP filter:

(&(objectCategory=person)(objectClass=user)(|(sAMAccountName=user1)(sAMAccountName=user2)(sAMAccountName=user3)(sAMAccountName=user5)(sAMAccountName=6)(sAMAccountName=user7)

If I delete the user, they can access Qlik again until the next sync at which point they're being deactivated.  I've got another user in the same connector who is not being deactivated in this manner, and I can't spot any difference between the two of them.  Is there any change to the connector or the LDAP filter I can make to keep this from happening? Any other changes you can think of for me to try please?

4 Replies
rittermd
Master
Master

I do not completely understand your question or situation.

When you say that you delete the user I assume that you are doing that in the QMC?  Are you deleting both users here?

I am not 100% sure about this.  In our situation a user account is created when that user opens the QS URL and logs in.  I have not tried this.  But I suspect that as long as the user is included in the authorization connector that they could log back in after you deleted them and this would create their account again.  So they have to be taken out of the AD group or whatever you are using so that when the next sync occurs they are no longer there and this will not happen.

I suspect what you want to do is block them in the QMC so that they can not login.  Then remove the flag or whatever you are using to identify them in your connector as a Qlik user so that they do not sync any longer.  Then delete them.

But I honestly am guessing on this.

Not applicable
Author

I'll try to clarify the events I'm seeing:

  1. User account is created by opening the QS url.
  2. User's access works fine, until
  3. UDC, which explicitly looks for that user's ID (not AD group), syncs and then the user is deactivated externally.
  4. I delete the user in the UDC, then go back to number one.

My goal is to allow only a few users access, hence the explicit whitelisting of a few user IDs.  What's weird is that a few other users are included in this same UDC but they aren't deactivated like this one is.

Not applicable
Author

For future reference, the problem ended up being the LDAP filter I had on the user directory connector.  I removed the LDAP filter entirely, unchecked the sync existing users flag, and set up security rules based on AD group attributes in the QS user fields, e.g. stream security based on membership in specific AD groups.  This has resolved all my user deactivation issues.

Faizoel
Partner - Contributor III
Partner - Contributor III

I know this is solved, just for anyone else who gets here, here is my solution.

For me this happened because I had spaces between the account names and (didn't test this part) new lines/hard returns.

so

(sAMAccountName=user3) (sAMAccountName=user5)

should be changed to

(sAMAccountName=user3)(sAMAccountName=user5)