Skip to main content

Qlik Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Official Support Articles

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Skip the ticket, Chat with Qlik Support instead for instant assistance.

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bastien_Laugiero
Support
Support
‎2021-04-14 12:26 AM

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

Historically, in order to load users member from multiple Active Directory Domains was not possible with a single User Directory Connector. It was required to create one User Directory Connector per domain making the Active Directory administration more complex for the IT Team. 

Starting from Qlik Sense September 2020, it is now possible to achieve this with Advanced LDAP. 

Starting on Qlik Sense February 2021, multiple domain names are synchronized instead of allowing for duplicate users with the real domain name to populate when they login. (Look for QB-2187)

Environment

 

Click Here Video Transcript

Requirement(s):

  • Make sure there full trust between the different Active Directory Domains in the same forest.

Steps:

  1. In one of the domain, create an Active Directory Universal Security group and add the list of users from multiple domains you want to sync into Qlik Sense.
  2. Then go to QMC -> User Directory Connector and create an Advanced LDAP Connection
  3. Provide a name and user directory name
  4. Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense
  5. In the host section, you will need to point to the Global Catalog port which is 3268 for LDAP and 3269 for LDAPS by default so that the sync can capture user through the entire forest.
  6. Add a username and password to connect to the Global Catalog.
  7. The base DN here is important as it needs to refer to the forest name in order to navigate through the child domains.
  8. You can then add an LDAP filter to load the user member of the group you created earlier. Make sure that the rootAdmin accounts used to manage Qlik Sense are not excluded by the new LDAP filter. More information under How to avoid the RootAdmin(s) from becoming inactive  
  9. And finally you will need to change in the Directory entry attributes the User identifier from “inetOrgPerson” to “person”. This is specific to Active Directory. 

It is now time to run the synchronization and check that your users are imported.

Bastien_Laugiero_0-1618374041352.png

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution above may not be provided by Qlik Support.

 

Related Content 

 

Qlik Sense Enterprise on Windows
Thumbnail of Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows
Labels (2)
6,657 Views
Comments
Filippo_Nicolussi_P
Support
Support
‎2021-10-27 02:36 PM

Hi Johann 

Just a little follow-up on a Active Directory perspective; based on the official site DC returns only 5000 values in LDAP response - Windows Server | Microsoft Docs there are some hardcoded limitations introduced:

"Internal LDAP limitations have been introduced in Windows Server 2008 R2 and Windows Server 2008 to prevent overloading the domain controller. These limits overwrite the LDAP policy setting when the policy value should be higher" 

with hardcoded MaxPageSize=20000 and MaxValRange=5000  .

 

Many thanks.

Filippo 

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-11-02 09:12 AM

Thank you @Filippo_Nicolussi_P 

For a specific need my customer changed the MaxPageSize in the past to 30000, but even with this high threshold, this is not enough in our context.

With the "use optimized query", in the debug log, in can find than the last ldap filter executed by qlik sense is (objectClass=group) what seems far too broad and not in line with what we asked for.

Johann

rakeshshah
Partner - Creator
Partner - Creator
‎2022-11-17 07:10 PM

Thank you for the article and details. What I would like to know is once this has been setup will the users get a SSO experience or be prompted to enter username and password depending on the domains?

Alternatively what I'm trying to do is have an SSO experience for two domains - is this possible? It is currently SSO for the domain the Server is installed with, but not for Domain B

Thanks

Rakesh

Sonja_Bauernfeind
Digital Support
Digital Support
‎2022-11-23 03:43 AM

Hello @rakeshshah 

Authentication in this case is still being carried out by Windows and if Windows requires a prompt, a prompt will be displayed. You would likely need to build an independent single sign on system in front of both domains to achieve this. 

Please post about your requirements in our forums: Deployment and Management 

All the best,
Sonja 

Version history
Last update:
‎2022-06-02 06:27 AM
Updated by:
Digital Support