Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bastien_Laugiero
Support
Support

Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

Last Update:

Jun 2, 2022 6:27:33 AM

Updated By:

Andre_Sostizzo

Created date:

Apr 14, 2021 12:26:42 AM

Historically, in order to load users member from multiple Active Directory Domains was not possible with a single User Directory Connector. It was required to create one User Directory Connector per domain making the Active Directory administration more complex for the IT Team. 

Starting from Qlik Sense September 2020, it is now possible to achieve this with Advanced LDAP. 

Starting on Qlik Sense February 2021, multiple domain names are synchronized instead of allowing for duplicate users with the real domain name to populate when they login. (Look for QB-2187)

Environment

 

Click Here Video Transcript

Requirement(s):

  • Make sure there full trust between the different Active Directory Domains in the same forest.

Steps:

  1. In one of the domain, create an Active Directory Universal Security group and add the list of users from multiple domains you want to sync into Qlik Sense.
  2. Then go to QMC -> User Directory Connector and create an Advanced LDAP Connection
  3. Provide a name and user directory name
  4. Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense
  5. In the host section, you will need to point to the Global Catalog port which is 3268 for LDAP and 3269 for LDAPS by default so that the sync can capture user through the entire forest.
  6. Add a username and password to connect to the Global Catalog.
  7. The base DN here is important as it needs to refer to the forest name in order to navigate through the child domains.
  8. You can then add an LDAP filter to load the user member of the group you created earlier. Make sure that the rootAdmin accounts used to manage Qlik Sense are not excluded by the new LDAP filter. More information under How to avoid the RootAdmin(s) from becoming inactive  
  9. And finally you will need to change in the Directory entry attributes the User identifier from “inetOrgPerson” to “person”. This is specific to Active Directory. 

It is now time to run the synchronization and check that your users are imported.

Bastien_Laugiero_0-1618374041352.png

 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution above may not be provided by Qlik Support.

 

Related Content 

 

Qlik Sense Enterprise on Windows
Thumbnail of Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows
Labels (2)
11,433 Views
Was this article helpful? Yes No
Comments
jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-20 05:16 AM

Hello @Bastien_Laugiero 

thank you very much for this great article.

I'm trying to use this advanced Ldap connector in my customer environement, and i always get the same error in the log file :

Exception when fetching data from 'MyDomain' of type Repository.UserDirectoryConnectors.LDAP.AdvancedLDAP The size limit was exceeded↵↓Couldn't retrieve users from directory: 'MyDomain' of type Repository.UserDirectoryConnectors.LDAP.AdvancedLDAP
 
even with an ldap filter that send very few users, it is the same. What size are we talking about here ?
Have a goo dat.
 
Johann
Sonja_Bauernfeind
Digital Support
Digital Support
‎2021-10-20 07:54 AM

Hello @jchoucq 

This is dependent on the source. 

On the Qlik end you can set advanced UDC settings, see Advanced UDC Settings for details.

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-20 08:20 AM

Hi @Sonja_Bauernfeind 

thanks for your answer. Yes, we tried, among other things, to change Page size (2000, or 4000 ...)

We are connecting to an active directory global catalog, and the experts with me do not understand either this limit size error message 😞

 

Sonja_Bauernfeind
Digital Support
Digital Support
‎2021-10-20 08:38 AM

Let me see if I can get an SME to give this a look, This is what we have on that issue for you: How to configire Maxpagesize in LDAP server to avoid a "The size limit was exceeded" or a "QVX_UNEXP...  - but if that does not help, I'd recommend posting the question over in the relevant forums where you can make use of our active community and our agents. Think this one is the right one:  Deployment and Management.

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-20 08:47 AM

Thanks a lot @Sonja_Bauernfeind 

I saw this article yesterday, i'm going to insist on my client to take a closer look at it.

For information i already created a message on the partner teams. Do you think it will be better to post the question in the forum too ?

Thanks again.

Johann

Sonja_Bauernfeind
Digital Support
Digital Support
‎2021-10-20 09:55 AM

I think the forums are always a great idea! You'll get the input from a lot more people there. 

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-21 03:49 AM

just did it 🙂

https://community.qlik.com/t5/Deployment-Management/Sync-Active-Directory-users-from-multiple-domain...

thanks a lot @Sonja_Bauernfeind 

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-22 05:54 AM

For information, i noticed that the Ldap Filter you add in the "Search Ldap Filter" property is not exactly what will be executed by Qlik Sense. Let's assume we write "MyLdapFilter", here is what we can find in debug log file : 

(|(&(objectClass=person)(MyLdapFilter))(objectClass=group))
 
this is a problem in my case, because this filter gets backs too many groups i never asked for !
 
Surprising, this is not the same behaviour with Active Directory connector which change your Ldap filter in 
(&(objectCategory=person)(MyLdapFilter))
 
@Sonja_Bauernfeind @Bastien_Laugiero have you got an idea of what can be done to try to fix that ?
Thanks a lot.
johann
Filippo_Nicolussi_P
Support
Support
‎2021-10-27 09:14 AM

The "|"  and "(objectClass=group)" is added by design when you use Active Directory to get all the Group Attribute. 

In recent version there is an option called "Use optimized query" to change the mode to retrive the Groups in case you use instead Generic LDAP or Advanced LDAP UDC Configuration. 

If with the Generic/Advanced LDAP configuration and the option "Use Optimized query" you still don't get all the attribute for the page size issue an alternate SSO / UDC could be evaluated/studied with our Professional Services. 

jchoucq
Partner - Creator III
Partner - Creator III
‎2021-10-27 11:25 AM

hi @Filippo_Nicolussi_P , thank you very much for your answer.

With the propery "optimized query" we go further in the process, but at the end we still get an error.

indeed, ti seems that they are many steps, first, it adds users respecting the filter, that is correct. But after, for the groups, it seems looping to get all the groups from the groups it detected in the precedent ldap request, regardless the initial filter.

In our case, this is why it goes over the page size ... the customer ldap experts do not understand why, as what is done for users, the groups it tries to get back do not respect the initial LDAP Filter.

Thanks again

Johann

Version history
Last update:
‎2022-06-02 06:27 AM
Updated by:
Digital Support