- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows
Jun 2, 2022 6:27:33 AM
Apr 14, 2021 12:26:42 AM
Historically, in order to load users member from multiple Active Directory Domains was not possible with a single User Directory Connector. It was required to create one User Directory Connector per domain making the Active Directory administration more complex for the IT Team.
Starting from Qlik Sense September 2020, it is now possible to achieve this with Advanced LDAP.
Starting on Qlik Sense February 2021, multiple domain names are synchronized instead of allowing for duplicate users with the real domain name to populate when they login. (Look for QB-2187)
Environment
- Qlik Sense Enterprise on Windows , September 2020 and higher
Requirement(s):
- Make sure there full trust between the different Active Directory Domains in the same forest.
Steps:
- In one of the domain, create an Active Directory Universal Security group and add the list of users from multiple domains you want to sync into Qlik Sense.
- Then go to QMC -> User Directory Connector and create an Advanced LDAP Connection
- Provide a name and user directory name
- Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense
- In the host section, you will need to point to the Global Catalog port which is 3268 for LDAP and 3269 for LDAPS by default so that the sync can capture user through the entire forest.
- Add a username and password to connect to the Global Catalog.
- The base DN here is important as it needs to refer to the forest name in order to navigate through the child domains.
- You can then add an LDAP filter to load the user member of the group you created earlier. Make sure that the rootAdmin accounts used to manage Qlik Sense are not excluded by the new LDAP filter. More information under How to avoid the RootAdmin(s) from becoming inactive
- And finally you will need to change in the Directory entry attributes the User identifier from “inetOrgPerson” to “person”. This is specific to Active Directory.
It is now time to run the synchronization and check that your users are imported.
The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution above may not be provided by Qlik Support.
Related Content
- Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector
- User directory connectors Advanced LDAP properties - Qlik Sense for administrators
- Qlik Sense : Example of a LDAP filter to sync users in a group
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @Bastien_Laugiero
thank you very much for this great article.
I'm trying to use this advanced Ldap connector in my customer environement, and i always get the same error in the log file :
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Hello @jchoucq
This is dependent on the source.
On the Qlik end you can set advanced UDC settings, see Advanced UDC Settings for details.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
thanks for your answer. Yes, we tried, among other things, to change Page size (2000, or 4000 ...)
We are connecting to an active directory global catalog, and the experts with me do not understand either this limit size error message 😞
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Let me see if I can get an SME to give this a look, This is what we have on that issue for you: How to configire Maxpagesize in LDAP server to avoid a "The size limit was exceeded" or a "QVX_UNEXP... - but if that does not help, I'd recommend posting the question over in the relevant forums where you can make use of our active community and our agents. Think this one is the right one: Deployment and Management.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Thanks a lot @Sonja_Bauernfeind
I saw this article yesterday, i'm going to insist on my client to take a closer look at it.
For information i already created a message on the partner teams. Do you think it will be better to post the question in the forum too ?
Thanks again.
Johann
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
I think the forums are always a great idea! You'll get the input from a lot more people there.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
For information, i noticed that the Ldap Filter you add in the "Search Ldap Filter" property is not exactly what will be executed by Qlik Sense. Let's assume we write "MyLdapFilter", here is what we can find in debug log file :
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
The "|" and "(objectClass=group)" is added by design when you use Active Directory to get all the Group Attribute.
In recent version there is an option called "Use optimized query" to change the mode to retrive the Groups in case you use instead Generic LDAP or Advanced LDAP UDC Configuration.
If with the Generic/Advanced LDAP configuration and the option "Use Optimized query" you still don't get all the attribute for the page size issue an alternate SSO / UDC could be evaluated/studied with our Professional Services.
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
hi @Filippo_Nicolussi_P , thank you very much for your answer.
With the propery "optimized query" we go further in the process, but at the end we still get an error.
indeed, ti seems that they are many steps, first, it adds users respecting the filter, that is correct. But after, for the groups, it seems looping to get all the groups from the groups it detected in the precedent ldap request, regardless the initial filter.
In our case, this is why it goes over the page size ... the customer ldap experts do not understand why, as what is done for users, the groups it tries to get back do not respect the initial LDAP Filter.
Thanks again
Johann