Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Now Live: Qlik Sense SaaS Simplified Authoring – Analytics Creation for Everyone: READ DETAILS

Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

cancel
Showing results for 
Search instead for 
Did you mean: 
Andre_Sostizzo
Digital Support
Digital Support

Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector


This article goes over how to use LDAP filters and common examples when setting up Qlik Sense User Directory Connector (UDC).

Note: Qlik Support has no scope in assisting in composing an LDAP filter that fits the environment needs. If further assistance is needed please see How and When to Contact the Consulting Team? AD and Qlik Sense must be within the same Domain. If different domains refer to this article Users of a different Active Directory, but with membership to a group in the same Domain as the Qlik...

Environment:

  • Qlik Sense Enterprise on Windows, all versions

 

Resolution:
 

Click here for Video Transcript

Notes:

  • Although this article is using AD as an example, it should also apply to other Directory Services that are compatible with LDAP
  • Although this example only filters users based on one single Group, more complicated filters are also supported in Qlik Sense. Please make sure the filter returns desired result before applying it to Directory Connector.

1. (Optional) Create a group that the filter will be based on. For example, "SenseUsers" group with 4 users is created in AD:

2. Recommended: Mark all RootAdmins as Delete Prohibited to prevent locking oneself out of the QMC, see How to avoid the RootAdmin(s) from becoming inactive

3. In this article, we will use native Windows tools to preview the LDAP query. Third party tools like LDAP Admin or LDAP Browser by Softerra are also valid tools to use.

4. On the Windows Server, open the Server Manager:

5. Click on Manage then Add Roles and Features:

1.png

6. If Before You Begin is displayed, click Next

7. On Installation Type, select Role-based or feature-based installation:2.png

8. On Server Selection, select the server that you are working with

9. Next navigate to Features, and select the Active Directory Administrative Center option:

3.png

10. Confirm that this is the feature(s) that you want to install and allow the installation to complete

11. After the installation completes, Click Start then select Administrative Tools and open the Active Directory Users and Computers module

12. The main domain that the server is on should automatically be present, so right click on the domain and select Find:

4.png

 

13. In the Find section select Custom Search:

5.png

 

14. Write out your potential LDAP filter and ensure that it selects all the expected users:

6.png

 

15. Once you have an LDAP filter which works correctly outside of Qlik Sense, then navigate in the QMC to User Directory Connectors > edit the pre-existing Active Directory Connector > ensure that the Advanced section is displayed and paste in the LDAP filter. At this step you should unselect the Sync user data for existing users toggle:

7.png

 

16. The rationale for unselecting the Sync user data for existing users toggle is as follows. If you are already filtering the results from AD, then it makes sense to pull in the entire set of the filtered subset of users. This step isn't strictly speaking required but if you opt for the route of using an LDAP filter then it makes logistical sense to pull in all the users in the filtered subset.

17. Save the changes and go back to the root of the User Directory Connectors section and sync the altered Connector:

8.png
 
 

Some common filters:

  • All users: (&(objectCategory=person)(objectClass=user))
    • Caution: do NOT use this filter on an LDAP with a lot of users. Too many users loaded to Qlik Sense could cause performance problem and once they are imported it will be difficult to remove them.
  • All users in a specific group:  (&(objectClass=user)((memberOf:1.2.840.113556.1.4.1941:=CN=NameOfTheGroup,CN=Users,DC=domain,DC=local)))
  • User with a specific natural name:  (&(objectCategory=person)(objectClass=user)(CN=FirstName LastName))
    • For example, if a user is called John Doe, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(CN=John Doe))
  • User with a specific login name: (&(objectCategory=person)(objectClass=user)(sAMAccountName=LoginName))
    • For example, if John Doe's login name is DOMAIN\JDOE in the system, the filter to look for him can be: (&(objectCategory=person)(objectClass=user)(sAMAccountName=jdoe))
  • The filter used by QlikView Active Directory Connector when performing a user search(replace KEYWORD with actual search phrase):
    • (&(|(name=KEYWORD)(sAMAccountName=KEYWORD))(&(!(objectclass=computer))(objectGUID=*))(|(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))(|(objectClass=User)(objectClass=person))))

 

Related Content:

Version history
Last update:
‎2021-06-21 01:20 PM
Updated by: