This video is part of the Qlik Fix Video series. If you found this video useful, check out the other Qlik Fix Videos.
This video will demonstrate how to synchronize users from multiple domains that are members of an Active Directory Universal group with Qlik Sense Enterprise on Windows.
Here is a link to more information in the Support Knowledge Base:
Qlik Fix: Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Entrepri...
Hi and Welcome to Qlik Fix!
This video will demonstrate how to synchronize users from multiple domains that are members of an Active Directory Universal group.
Since the September 2020 release of Qlik Sense, it is now possible to sync users belonging to multiple domains with a single User Directory Connector, which simplifies administration.
Let’s start by opening “Active Directory Domains and Trust” and check our current setup.
Here we have the root forest domain called “domain.local” and a trusted domain2.local domain. Each domain has its own set of users that need to be synchronized with Qlik Sense.
An important requirement for Qlik Sense to work with multiple domains is the full bidirectional trust enabled between the domains.
Here we create an Active Directory Universal Security Group called “Qlik_Sense_Users”, and add users from both domain.local and domain2.local.
Next on this newly installed Qlik Sense server without any synchronized users or a Directory Connector, we’ll create a new Advanced LDAP connector.
In this example we’ll name it “Domain” to match the domain name where our group was created.
Uncheck the box “Sync user data for existing users” so that we can import new users into Qlik Sense.
Then, for Host set it to the domain that hosts the Global Catalog server containing the AD group. We will use the default Global Catalog LDAP port 3268. <annotation> Note port for LDAPS is 3269. If you point to the default LDAP port 389, the sync will only be able to import users belonging to domain.local.
Make sure to setup with a Windows account that has proper permission to access directory information in Activity Directory.
The base DN here is important, and should include both domains. Otherwise, only users under the DN specified will be retrieved. In this example we set it to “dc=local” which both domains are found under. <Annotation> e.g: setting to “dc=domain2,dc=local” would retrieve users from domain2 only.
We’ll pick the default Page size of 2000 results per synch request.
Then set an LDAP filter to load users from the specific Active Directory group we created earlier. For more information on setting LDAP filters take a look at this knowledge base article in Qlik Community.
As our final step, change in the Directory entry attribute for “User identifier” from the general LDAP standard “inetOrgPerson” to Active Directory standard “person”, as the identifier for users.
Apply the settings and start the Sync task.
We see that the new users are imported from both example domains.
If you’d like more information,
Take advantage of the expertise of peers, product experts, and technical support engineers
by asking a question in a Qlik Product Forum on Qlik Community.
Or search for answers using the new SearchUnify tool.
It searches across our Knowledge Base, Qlik Help, Qlik Community, Qlik YouTube channels and more, all from one place.
Also check out the Support Programs space.
Here you can learn directly from Qlik experts via a Support webinar, like Techspert Thursdays.
And don’t forget to subscribe to the Support Updates Blog.
Thanks for watching.
Attached is a downloadable .mp4 video file for those who cannot view YouTube videos.