Qlik Data Catalyst enables enterprises to dynamically sync Qlik Data Catalyst-managed security with Active Directory (AD) identity services and domain management. LDAP protocol is used to connect to and obtain information from AD.
Qlik Data Catalyst does not allow updates to the external AD database. Fields are provided for connection description, location/credentials, and parameters to define search criteria for objects of interest.
This integration allows Qlik Data Catalyst Administrators to:
- Obtain summary counts of groups and users from AD.
- Update with AD groups (and users) either: one-time immediately, on a schedule set manually with calendar feature, or set on a recurrent user-defined schedule via Cron automation.
- Define, edit, disable AD synchronization schedule.
- Select whether the connection is to be made with SSL encryption.
- View, save, delete, edit all connections.
- View all logs relevant to synchronization tasks.
Qlik Data Catalyst allows a mix of AD/Kerberos and local users. User names and log-in credentials reflect this status. AD users login with fully a qualified name at(@) the AD domain name (e.g., email@example.com or firstname.lastname@example.org) and AD password or their user name with AD domain dropdown selection. Local user login name/password credentials do not change. Local users login with credentials and choose none for domain.
AD and Local Environment (Group and User) names
An AD username is always appended with the domain suffix. Username 'bbishop' will be appended to become 'bbishop@ad.QDCdata.net' when Qlik Data Catalyst syncs with AD.
A locally-created user bbishop and an AD user email@example.com are considered distinct and will not conflict. The AD user will be successfully created alongside the locally-created user when Qlik Data Catalyst syncs with AD.
An AD group will not be appended with a domain suffix so BriansGroup will be imported as BriansGroup — If a group with title BriansGroup already exists in the Qlik Data Catalyst metadata, the AD group will not be imported. If the administrator wants to keep both groups, they should rename the existing group then run the AD sync (example: BriansGroup1).
Users and groups are case-sensitive, so BriansGroup and briansgroup are distinct groups.
Creating an AD synchronization
To sync Qlik Data Catalyst with AD select Add New Domain.
The following fields are required to sync Qlik Data Catalyst with an AD Database via LDAP server connection:
- Alias: Alternate name for Host/LDAP Server.
- Host: LDAP Server URL, a fully qualified domain name (ex. DC01.domainname.com).
- Port: The port that has been configured for the LDAP Server.
- Search Base: LDAP Search Base (the directory being searched, e.g., ad.qdcdata.net).
- User: LDAP Bind User Distinguished Name (user name configured for LDAP authentication).
- Password: LDAP Bind Password (password configured for LDAP authentication).
- Group Query: LDAP Select query for group object(s) of interest.
- Default domain (Checkbox): Check this box to set LDAP Server as default domain. Note: There can only be one default domain. This facilitates easier login for users in future releases.
- SSL (Checkbox): Check to enable Secure Sockets Layer (SSL) encryption of LDAP client/server communication.
Once a connection has been successfully established, select Schedule.
A pop-up box will appear with two radio buttons next to One-Time Immediate or Recurring Synchronization:
- One Time Immediate will begin an AD synchronization.
- Recurring will prompt the user to select Choose your Schedule, or Custom Schedule. Users can opt to define a schedule via Calendar Scheduler or enter a Crontab expression to customize an automated schedule.
To choose a One Time Immediate synchronization, click on the radio button indicated, Then, choose Run to start the synchronization with AD. The system displays results (see figure, below), with headings:
- View Summary displays summary counts of groups and users from AD.
- View Synchronization Results lists the Users and Groups returned by the LDAP query.
- View Updates displays the updates made to Qlik Data Catalyst.
To complete the process, click Finish. The system will display a success message.
- To use a Calendar Scheduler for synchronization, choose Recurring, then choose the radio button Choose Your Schedule and enter appropriate field information.
To use a Crontab expression to create and automated schedule, choose Recurring, then select the radio button next to Custom Schedule. Complete the entry with a Cron expression.
To initiate scheduling, click Finish.
Preview synchronization results
After defining a schedule for AD synchronization users can preview the updates. This view displays what is in AD for the User/Group Queries at that time; actual results are subject to changes in AD.
AD domain commands
Highlight the domain to be deleted in the left sidebar and select Delete Domain.
Highlight the domain in the left bar sidebar and select View Logs.
The Edit command will clear all locked (gray) fields and allow authorized users to edit the fields. To complete the edits: Highlight the domain to be edited in the left sidebar and select Edit.
- Choose Test Connection to make sure the edits preserve the server connection (the system displays a success message or error message).
- Choose Cancel to lock the fields without changes.
- To save the edits, choose Save.
Disable/enable controls are located at the bottom of the screen, they indicate whether synchronization is active; Disable Schedule will display when synchronization is scheduled. Enable Schedule displays when a schedule is in place but not active.
This query provides the option to create a more exclusive query overriding the dynamically generated User Query based on the Group Query results.
This query returns only users existing in the groups resulting from Group Query.
Rules for import/filter of users and groups that already exist in Data Catalyst upon AD sync
When Qlik Data Catalyst runs a query on Active Directory, all Groups/Users from AD that are returned from the query (as shown in catalina.out logging). After the query is executed and results are returned, then the results are filtered according to the following rules:
Groups: If a group exists under a different AD connection or exists locally then the group is ignored and it is not added to the system again.
The group name is searched to see if that group name exists within some other AD connection or if it exists locally.
If the name exists then this group is not made part of the results in Sync Summary; therefore the group count in AD sync summary will be reduced by 1.
Users: If a user exists under a different AD connection or exists locally then the user is ignored and is not added to the system again.
The user name is searched to identify if that username exists within some other AD connection or if it exists locally.
If it exists then this user is not made part of the results. Thus user count in AD sync summary is reduced by 1.
If user has no groups on AD we don't make this user part of the results in sync summary; therefore the user count in AD sync summary will be reduced by 1.