Although this article is using AD as an example, it should also apply to other Directory Services that are compatible with LDAP
Although this example only filters users based on one single Group, more complicated filters are also supported in Qlik Sense. Please make sure the filter returns desired result before applying it to Directory Connector.
1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:
3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.
4. On the Windows Server, open the Server Manager:
5. Click on Manage then Add Roles and Features:
6. If Before You Begin is displayed, click Next
7. On Installation Type, select Role-based or feature-based installation:
8. On Server Selection, select the server that you are working with
9. Next navigate to Features, and select the Active Directory Administrative Center option:
10. Confirm that this is the feature(s) that you want to install and allow the installation to complete
11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module
12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:
13. In the Find section select Custom Search:
14. Write out your potential LDAP filter and ensure that it selects all the expected users:
15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:
16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.
17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:
Some common filters:
All users: (&(objectCategory=person)(objectClass=user))
Caution: do NOT use this filter on an LDAP with a lot of users. Too many users loaded to Qlik Sense could cause performance problem and once they are imported it will be difficult to remove them.
All users in a specific group: (&(objectClass=user)((memberOf:1.2.840.1135220.127.116.111:=CN=NameOfTheGroup,CN=Users,DC=domain,DC=local)))
User with a specific natural name: (&(objectCategory=person)(objectClass=user)(CN=FirstName LastName))
For example, if a user is called John Doe, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(CN=John Doe))
User with a specific login name: (&(objectCategory=person)(objectClass=user)(sAMAccountName=LoginName))
For example, if John Doe's login name is DOMAIN\JDOE in the system, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(sAMAccountName=jdoe))
The filter used by QlikView Active Directory Connector when performing a user search(replace KEYWORD with actual search phrase):