Embed Size (px)
Citation preview
How to test if the LDAP Filter is returning the expected users
Version: 1Date: 2015-11-06Qlik Sense
”A best practice is a technique or methodology that, through experience and research, has proven to reliably lead to a desired result.”
Disclaimer:Please be aware that this document is not supported and is meant only as a guide. Individual environments may require adjustments for things to work correctly. This will/may require altering and customizing code shipped with QlikView Server/Sense Enterprise. All customization is done at your own risk and is not covered by Qlik Support or Maintenance Agreements. Please backup any files prior to modification.
3
Table of Contents
1 Introduction................................................................................................................... 41.1 Setup to test LDAP filter..........................................................................................4
1.1.1 Using MMC to view Active Directory Users and Computers snap-in...............4
2 Testing an LDAP Filter..................................................................................................82.1 It is all about the syntax...........................................................................................8
2.1.1 Using the MMC to ensure the LDAP filter returns what is expected................8
2.2 Using LADP Filter in Qlik Sense............................................................................14
4
1 Introduction
When working with Qlik Sense, there are a few ways to get users into the Users section of the QMC.
When a user accesses the Sense Hub, they will automatically be added to the Users section. This does not mean they will be given a token (User or Login access) automatically, this is material for another document, and is not covered here.
Once the Active Directory (AD) is created, the users in the AD can be pulled in. However, without a filter ALL, the users in the AD will be pulled in. If you have thousands of users this is probably not the optimal situation.
Option one is good, but users have to first access the hub. Option two is problematic as there may be users in your table structure that really need not be there.
Using an LDAP filter to limit only the users necessary to be imported is a good alternative. The purpose of this document is to outline how to test an LDAP filter before applying to Qlik Sense, allowing confirmation the correct users will be imported.
LDAP filters can vary in need and syntax, this document will not go into how to determine your particular string, but will cover how to test it is correct and functional. Individual IT departments should be able to assist in the creation, etc. Additionally, there are several resources online that may assist with the creation.
Here is a helpful link:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
1.1 Setup to test LDAP filter
1.1.1 Using Microsoft Management Console(MMC) to view Active Directory Users and Computers snap-in
Disclaimer – Company policy, etc. may prevent the installation and configuration of items outlined below. It may be necessary to contact local IT resources to provide the proper syntax.
The items below are based upon a Windows 7 desktop, but apply to server 2008/R2 and 2012/R2 as well.
1. On the windows 7 machine, it is necessary to install the Remote Server Administration Tools for Windows 7 w/ Serivce Pack 1 (SP1) http://www.microsoft.com/en-us/download/details.aspx?id=7887
2. Once the installation is complete, the following steps need to be completed:
a. From Start > Run, type MMC and press enter.
b. The MMC will be presented.
5
c. Click File > Add/Remove Snap-in...
d. Select Active Directory Users and Computers and click Add, the selection will be placed in the right-hand window.
e. Select OK.
6
f. The following dialog will be presented.
7
g. Expand Active Directory Users and Computers
h. The Active Directory Listing will appear
i. The snap-in needed to check you LDAP filter has been successfully added.
8
2 Testing an LDAP Filter
2.1 It is all about the syntax
2.1.1 Using the MMC to ensure your LDAP filter returns what you expectCreating an LDAP filter can be complicated, and the assistance of IT or Google search may be required to get the syntax correct. This document is not meant to be a primer on LDAP syntax, but with a bit of trial and error things can generally be resolved.
When creating an LDAP filter, the purpose is to generally only pull a subset of users. To make things easier, it is helpful if a group for Sense users is created. This way a single item may be referenced and as users are added to the group they will be pulled in when the LDAP synchronizes.
The following steps outline how to test a potential LDAP filter and verify the correct Users are returned.
1. With the MMC opened in the steps above, right-click the domain name and select Find
2. The following dialog will be presented showing Find Users, Contact, and Groups
9
3. In the Find Box, change the drop-down to Custom Search
4. Change the tab selection from Custom Search to Advanced
10
5. An LDAP query may now be pasted in the dialog to be tested
6. The example below will search for users in a Group named SenseUsers:
11
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=SenseUsers,CN=Users, DC=domain,DC=local))
a. Multiple groups my be querried as well: SenseUsers and SenseUsers2
(&(objectClass=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=SenseUsers,CN=Users,DC=domain,DC=local )(memberOf:1.2.840.113556.1.4.1941:=CN=SenseUsers2,CN=Users,DC=domain,DC=local)))
12
13
b. Addtionally, searches for groups within organizational units (OU) may be carried out
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Blah,OU=Groups,OU=Medical Center,OU=UCSD Healthcare,DC=domain,DC=local))
7. Almost any type of filter string can be tested to verify if the correct users are returned before applying the filter in Sense.
8. There are several tools that can be used to help create your syntax, a Google search for LDAP browser provides a good list of tools. Sysinternals has Active Directory Explorer, which works quite well.
https://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
Not recommending any particular tool over any other.
Keep in mind if the Windows search returns no users or errant results, these will be the same results in Sense.
14
2.2 Using LDAP Filter in SenseThe LDAP filter now needs to be applied in Sense via the QMC so users are filtered and loaded correctly.
1. Open the QMC for the environment
2. Navigate to Start > User Directory Connectors, edit your Active Directory entry.
3. Once in the AD entry, select the Advanced option, this allows for the entry of the filter into the Additional LDAP filter field
4. Paste the filter into the field. Ensure the option for User Sync Settings: Fetch user data on first access, then keep in sync is unchecked. By unchecking this option, the users will be retrieved as outlined by the filter and they will populate the Users section of the QMC (leaving it checked will only sync users already in the section).
5. Click Apply
15
6. As seen below the example filter retrieves four users from two groups (SenseUsers and SenseUsers2)
Those users do not exist in the Users section of the QMC, with the exception of User1.
7. To get the users into Sense, the sync task for the Active Directory connector needs to be executed.
a. Go to Start > Tasks
b. Select the Task for the Active Directory connector
16
c. Start the task
8. Once the task has completed, check that the Users section contains the users that have been synchronized.
Note: Any users that were already in the Users section will remain, the filter will not remove them.
17
9. If new users are added and should be picked up by the filter, they will not show in the Users section until the synchronization task is run again (either manually or via schedule)
a. Conversely, to remove a user, they must be manually removed via the Users section of QMC. It is highly recommended that any user access licenses assigned to the user be removed (quarantined) prior to deleting the user.
