
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Filter for multiple groups in Qlik Sense Enterprise on Windows
May 12, 2021 9:18:56 AM
Jan 30, 2015 1:44:01 PM
The syntax to use when adding multiple AD groups in the LDAP filter is listed below.
Environment:
Qlik Sense Enterprise on Windows
The LDAP syntax for a filter like our example above would be teo "OR" elements together with the "|" character (called the pipe character):
(|( condition 1)( condition 2))
So your conditions for the filter would look like this:
(|(memberof=CN=BOBJ ADMIN LASH,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc)(memberof=CN=BO Admin,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc))
The "OR" operator is used for multiple groups, and uses a "pipe" symbol. The "AND" operator is used inversly to make a very specific query, and uses a "&" symbol.
It is recommended to always test outside of Qlik Sense prior to applying any changes. See Qlik Sense: How to create a filter in Directory Connector (and test it) for further steps
More information about LDAP filters for Active Directory can be found here: https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
Basic LDAP Filter Syntax and Operators
LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). This is the so-called 'Polish Notation'. The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.
AND Operation:
(& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))
OR Operation:
(| (...K1...) (...K2...)) or with more than two criteria: (| (...K1...) (...K2...) (...K3...) (...K4...))
Nested Operation:
Every AND/OR operation can also be understood as a single criterion:
(|(& (...K1...) (...K2...))(& (...K3...) (...K4...)))
Note: Wildcards are not allowed in the case of memberOf and distinguishedName. Specify the full DN of the objects. This is not a Qlik Sense limitation but a general LDAP limitation/rule.
Related Content:
Qlik Sense : Example of a LDAP filter to sync users in a group
Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
When I am using OR Operation
OR Operation:
(| (...K1...) (...K2...)) or with more than two criteria: (| (...K1...) (...K2...) (...K3...) (...K4...))
the users from K3 group becomes inactive.
My users are admin , dev and analyst hence K1 = Admin and K2 = Dev are active whereas K3 = Analyst are inactive.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @jaishree_Qlik
I've just tested with 3 groups and it just works fine for me.
(|(memberof=CN=groupA,CN=Users,DC=domain,DC=local)(memberof=CN=groupB,CN=Users,DC=domain,DC=local)(memberof=CN=groupC,CN=Users,DC=domain,DC=local))
I have userA,userB,userC in each group and everyone is synced and not disabled.
Could there be a mistake in the path to the group for K3 ?
Does simply using (| (...K1...) (...K3...)) actually fetch the users from K3/make them active ?

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
For testing it local server I used this syntax and still not able to see users active .
(| (memberOf=CN=QlikUser,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAdmin,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAnalyzer,OU=My Users,DC=hp,DC=local))
QlikUser - Active
QlikAdmin - Not Active
QlikAnalyzer - Not Active

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Please do not format it with enter button , just give one space between groups ...it will work.

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
The issue arises when I combine the below two groups with an OR condition; individually, they function correctly, i have already tried the above solution @jaishree_Qlik @Sonja_Bauernfeind
(&(objectCategory=person)(objectClass=user)
(| (memberof=CN=QlikUser,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local) (memberof=CN=QlikAdmin,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local)))

- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @maknae Before beginning to troubleshoot with a Qlik Product, please verify that the filer works correctly in a third-party tool. See LDAP server testing using an LDAP browser to verify LDAP filters for Qlik products for an example.
If the filter does not return the expected results in the third-party tool, please troubleshoot further with your active directory administrator. If it does, please post about your query and what you are looking to achieve in the Qlik Sense Management and Deployment forum.
All the best,
Sonja