Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 12, 2021 9:18:56 AM
Jan 30, 2015 1:44:01 PM
The syntax to use when adding multiple AD groups in the LDAP filter is listed below.
Qlik Sense Enterprise on Windows
The LDAP syntax for a filter like our example above would be teo "OR" elements together with the "|" character (called the pipe character):
(|( condition 1)( condition 2))
So your conditions for the filter would look like this:
(|(memberof=CN=BOBJ ADMIN LASH,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc)(memberof=CN=BO Admin,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc))
The "OR" operator is used for multiple groups, and uses a "pipe" symbol. The "AND" operator is used inversly to make a very specific query, and uses a "&" symbol.
It is recommended to always test outside of Qlik Sense prior to applying any changes. See Qlik Sense: How to create a filter in Directory Connector (and test it) for further steps
More information about LDAP filters for Active Directory can be found here: https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). This is the so-called 'Polish Notation'. The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.
AND Operation:
(& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))
OR Operation:
(| (...K1...) (...K2...)) or with more than two criteria: (| (...K1...) (...K2...) (...K3...) (...K4...))
Nested Operation:
Every AND/OR operation can also be understood as a single criterion:
(|(& (...K1...) (...K2...))(& (...K3...) (...K4...)))
Note: Wildcards are not allowed in the case of memberOf and distinguishedName. Specify the full DN of the objects. This is not a Qlik Sense limitation but a general LDAP limitation/rule.
Qlik Sense : Example of a LDAP filter to sync users in a group
Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector
When I am using OR Operation
OR Operation:
(| (...K1...) (...K2...)) or with more than two criteria: (| (...K1...) (...K2...) (...K3...) (...K4...))
the users from K3 group becomes inactive.
My users are admin , dev and analyst hence K1 = Admin and K2 = Dev are active whereas K3 = Analyst are inactive.
Hello @jaishree_Qlik
I've just tested with 3 groups and it just works fine for me.
(|(memberof=CN=groupA,CN=Users,DC=domain,DC=local)(memberof=CN=groupB,CN=Users,DC=domain,DC=local)(memberof=CN=groupC,CN=Users,DC=domain,DC=local))
I have userA,userB,userC in each group and everyone is synced and not disabled.
Could there be a mistake in the path to the group for K3 ?
Does simply using (| (...K1...) (...K3...)) actually fetch the users from K3/make them active ?
For testing it local server I used this syntax and still not able to see users active .
(| (memberOf=CN=QlikUser,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAdmin,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAnalyzer,OU=My Users,DC=hp,DC=local))
QlikUser - Active
QlikAdmin - Not Active
QlikAnalyzer - Not Active
Please do not format it with enter button , just give one space between groups ...it will work.
The issue arises when I combine the below two groups with an OR condition; individually, they function correctly, i have already tried the above solution @jaishree_Qlik @Sonja_Bauernfeind
(&(objectCategory=person)(objectClass=user)
(| (memberof=CN=QlikUser,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local) (memberof=CN=QlikAdmin,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local)))
Hello @maknae Before beginning to troubleshoot with a Qlik Product, please verify that the filer works correctly in a third-party tool. See LDAP server testing using an LDAP browser to verify LDAP filters for Qlik products for an example.
If the filter does not return the expected results in the third-party tool, please troubleshoot further with your active directory administrator. If it does, please post about your query and what you are looking to achieve in the Qlik Sense Management and Deployment forum.
All the best,
Sonja