Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Defect acknowledgement with Nprinting Engine May 2022 SR2, please READ HERE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
MiMo
Contributor II
Contributor II
‎2023-03-24 11:10 AM

NPrinting - LDAP User Import fails with settings option 'Replace existing user associations (filters, roles, and groups)'

Hello Folks,

I have an NPrinting User-Group import task with LDAP configured (Windows AD on premise). It works great with user, groups and  roles. Also the Settings Option 'Remove users not present in newest sources' is working. User are disappeared after the sync, if they are not in the given AD-groups anymore.

My problem (or maybe my misunderstanding) is, that I should be also replace the existing user assocciations (e.g. in roles and groups) if a user should change the role f.i. from user to a developer ... and for that reason I activate the Settings-Option for that behavior.  >> 'Replace existing user associations (filters, roles, and groups)' ... Of course If I was involved as server admin I could the change do it manually. But the ActiveDirectory-Team is originally responsible for that change-process, so that maybe a change in user-association will be hidden in background.   

After testing and also after real execution of this import task I'm facing an Error:
Import data failed. ERROR: There must be at least one active user with administrative rights able to login. My own User with admin rights is also in the AD-Groups assigned.

I sync all the following AD-Groups in one Task (but tried this with same result also in extra task per group).

NPrinting-Administrator
NPrinting-Developer
NPrinting-NewsStand-User
NPrinting-User


Is there a solution for that?

I appreciate all hints.
Mimo

Labels (1)
Labels
965 Views
0 Likes
2 Solutions

Accepted Solutions
Ruggero_Piccoli
Support
Support
‎2023-03-24 11:17 AM

Hi,

In Qlik NPrinting there must always be a user with administrator role. You cannot delete all users with that role otherwise you will no more be able to admin the installation. For some reasons, you are trying to remove the administrator role from all users that have it.

Manually create a different user with administrator role outside the LDAP import. Please remember its credentials. It must not be modified by the user import task and you will be able to use it to manage the server every time you need.

Best Regards,

Ruggero

 



Best Regards,
Ruggero
---------------------------------------------
When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads with a LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads with LIKEs if you feel additional info is useful to others.

View solution in original post

960 Views
MiMo
Contributor II
Contributor II
‎2023-03-27 11:15 AM
Author

In response to Ruggero_Piccoli

Thanks a lot Ruggero 👍
That problem is solved!

You mentioned an additional non-LDAP account. Unfortunately, it didn't work out either. This account is assigned to a copied admin role, but it seems to pay attention to the original "Administrator" role. In order not to have to work with additional admin accounts, I have now used an additional user filter to filter out the special admin domain account assigned to the original administrator role. And it works now.
I use now an additional user filter to filter out a special admin domain account.

e.g. with ldap field samAccountName like this

(!samaccountname=***<user account name>***) 

View solution in original post

909 Views
4 Replies
Ruggero_Piccoli
Support
Support
‎2023-03-24 11:17 AM

Hi,

In Qlik NPrinting there must always be a user with administrator role. You cannot delete all users with that role otherwise you will no more be able to admin the installation. For some reasons, you are trying to remove the administrator role from all users that have it.

Manually create a different user with administrator role outside the LDAP import. Please remember its credentials. It must not be modified by the user import task and you will be able to use it to manage the server every time you need.

Best Regards,

Ruggero

 



Best Regards,
Ruggero
---------------------------------------------
When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads with a LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads with LIKEs if you feel additional info is useful to others.
961 Views
MiMo
Contributor II
Contributor II
‎2023-03-27 11:15 AM
Author

In response to Ruggero_Piccoli

Thanks a lot Ruggero 👍
That problem is solved!

You mentioned an additional non-LDAP account. Unfortunately, it didn't work out either. This account is assigned to a copied admin role, but it seems to pay attention to the original "Administrator" role. In order not to have to work with additional admin accounts, I have now used an additional user filter to filter out the special admin domain account assigned to the original administrator role. And it works now.
I use now an additional user filter to filter out a special admin domain account.

e.g. with ldap field samAccountName like this

(!samaccountname=***<user account name>***) 

910 Views
Ruggero_Piccoli
Support
Support
‎2023-03-28 02:26 AM

In response to MiMo

Hi,

You can warranty that an account with administrator role is always available and active in the way you prefer. I suggested to create one manually to be sure it will never be deleted, or try to be deleted, by a user import task because user import tasks can delete only accounts created by the same task. So a manually created administrator will never be deleted by a task.

Best Regards,

Ruggero



Best Regards,
Ruggero
---------------------------------------------
When applicable please mark the appropriate replies as CORRECT. This will help community members and Qlik Employees know which discussions have already been addressed and have a possible known solution. Please mark threads with a LIKE if the provided solution is helpful to the problem, but does not necessarily solve the indicated problem. You can mark multiple threads with LIKEs if you feel additional info is useful to others.
894 Views
0 Likes
MiMo
Contributor II
Contributor II
‎2023-03-28 04:10 AM
Author

In response to Ruggero_Piccoli

Hi Ruggero,

I have this additional emergency account, but it had no effect on LDAP synchronization if the main admin user was an LDAP user and is assigned to the original administrator role. The "Replace existing user associations (filters, roles, and groups)" settings option could not be used. So was my experience within a few hours of testing 😉 

Its also a little bit tricky with settings like "Remove users not present in newest import sources" or "Replace existing user associations (filters, roles, and groups)" if the import task ist for one role and you have a role filter (or user filter), then this role (user) seems to be not present and the assignment or user will be removed. 

Regards
Mimo


PS:For the first solution I had created 3 import tasks. One per role ... without Administrator for simplification. Step for step till it meets the expectations. At the end I think/hope, only one Import task ist necessary for doing the sync for all users and roles.

887 Views