Skip to main content
Announcements
July 15, NEW Customer Portal: Initial launch will improve how you submit Support Cases. READ MORE

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Bastien_Laugiero

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

Last Update:

Jun 2, 2022 6:27:33 AM

Updated By:

Andre_Sostizzo

Created date:

Apr 14, 2021 12:26:42 AM

Historically, in order to load users member from multiple Active Directory Domains was not possible with a single User Directory Connector. It was required to create one User Directory Connector per domain making the Active Directory administration more complex for the IT Team. 

Starting from Qlik Sense September 2020, it is now possible to achieve this with Advanced LDAP. 

Starting on Qlik Sense February 2021, multiple domain names are synchronized instead of allowing for duplicate users with the real domain name to populate when they login. (Look for QB-2187)

Environment

 

Click Here Video Transcript

Requirement(s):

  • Make sure there full trust between the different Active Directory Domains in the same forest.

Steps:

  1. In one of the domain, create an Active Directory Universal Security group and add the list of users from multiple domains you want to sync into Qlik Sense.
  2. Then go to QMC -> User Directory Connector and create an Advanced LDAP Connection
  3. Provide a name and user directory name
  4. Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense
  5. In the host section, you will need to point to the Global Catalog port which is 3268 for LDAP and 3269 for LDAPS by default so that the sync can capture user through the entire forest.
  6. Add a username and password to connect to the Global Catalog.
  7. The base DN here is important as it needs to refer to the forest name in order to navigate through the child domains.
  8. You can then add an LDAP filter to load the user member of the group you created earlier. Make sure that the rootAdmin accounts used to manage Qlik Sense are not excluded by the new LDAP filter. More information under How to avoid the RootAdmin(s) from becoming inactive  
  9. And finally you will need to change in the Directory entry attributes the User identifier from “inetOrgPerson” to “person”. This is specific to Active Directory. 

It is now time to run the synchronization and check that your users are imported.

Bastien_Laugiero_0-1618374041352.png

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution above may not be provided by Qlik Support.

 

Related Content 

 

Labels (2)
Comments
Filippo_Nicolussi_P

Hi Johann 

Just a little follow-up on a Active Directory perspective; based on the official site DC returns only 5000 values in LDAP response - Windows Server | Microsoft Docs there are some hardcoded limitations introduced:

"Internal LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher" 

with hardcoded MaxPageSize=20000 and MaxValRange=5000  .

 

Many thanks.

Filippo 

jchoucq
Partner - Creator III
Partner - Creator III

Thank you @Filippo_Nicolussi_P 

For a specific need my customer changed the MaxPageSize in the past to 30000, but even with this high threshold, this is not enough in our context.

With the "use optimized query", in the debug log, in can find than the last ldap filter executed by qlik sense is (objectClass=group) what seems far too broad and not in line with what we asked for.

Johann

rakeshshah
Partner - Creator
Partner - Creator

Thank you for the article and details. What I would like to know is once this has been setup will the users get a SSO experience or be prompted to enter username and password depending on the domains?

Alternatively what I'm trying to do is have an SSO experience for two domains - is this possible? It is currently SSO for the domain the Server is installed with, but not for Domain B

Thanks

Rakesh

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @rakeshshah 

Authentication in this case is still being carried out by Windows and if Windows requires a prompt, a prompt will be displayed. You would likely need to build an independent single sign on system in front of both domains to achieve this. 

Please post about your requirements in our forums: Deployment and Management 

All the best,
Sonja 

Version history
Last update:
‎2022-06-02 06:27 AM
Updated by: