Creating a user directory connector
You can create a new User Directory Connector (UDC).
Do the following:
-
Open the QMC: https://<QPS server name>/qmc
-
Select User directory connectors on the QMC start page or from the Start drop-down menu to display the overview.
-
Click Create new in the action bar.
The dialog with available user directory connector types is displayed.
-
Select the type for the new user directory connector and also the source. The following types are available:
- Generic LDAP
- Advanced LDAP
- Active Directory
- ApacheDS
- ODBC
- Access (through ODBC)
- Excel (through ODBC)
- SQL (through ODBC)
- Teradata (through ODBC)
Information noteNo UDC is required for a local user to log on to Qlik Sense. However, for the local user to be able to access apps, you need to allocate access. With a user-based license, you can use professional or analyzer access rules. With a token-based license, you can use user or login access rules to allocate access. Alternatively, a local user can first log on to be recognized as a user, and then be allocated tokens. -
Edit the properties.
All fields are mandatory and must not be empty.
Identification properties Property Description Name The name of the UDC configuration, defined from the QMC.
Type The UDC type.
User sync properties Property Description Default value Sync user data for existing users - When selected, only the existing users are synchronized. An existing user is a user who has logged in to Qlik Sense and/or been previously synchronized from the configured directory service.
- When not selected, all the users, defined by the properties for the UDC, are synchronized from the configured directory service. You can create a filter to Active Directory, ApacheDS, Generic LDAP, or Advanced LDAP, if you only want to synchronize a selection of users.
Information noteThe user attributes are only synced when a user logs in to the hub. Even if you delete the user in the QMC, the active session is still valid for the user that has been deleted. If the hub is only refreshed, the user is added to the database, but without any attributes.Selected
Connection properties Property Description Default value User directory name
Must be unique, otherwise the connector will not be configured. The name of the UDC instance (to be compared to the domain name of an Active Directory). Together with the user's account name, this name makes a user unique.
Information noteNot entered manually for Active Directory.- Path
The URI used to connect to the directory server. To support SSL, specify the protocol as LDAPS instead.
Information noteCustom ports are not supported.ldap://company.domain.com User name The optional user ID used to connect to the directory server. If this is empty, the user running the Qlik Sense repository is used to log on to the directory server. - Password The optional password for the user. - Information note When a user creates an Active Directory connector, the connector will only work if the user running the Qlik Sense services is allowed to access the directory server. If the user running the Qlik Sense services is not allowed to access the directory server, a user name and a password that allows access to the directory server must be provided.Information noteWhen loading .txt files using Microsoft Access Text Driver (*.txt, *.csv), you must use the connector type Access (via ODBC) instead of ODBC.Connection properties Property Description Default value User directory name The name of the user directory. Must be unique, otherwise the connector will not be configured. The name must not contain spaces.
- Users table name The name of the table containing the users. Include the file extension in the table name, for example: Table.csv. Information noteWhen setting up an Oracle ODBC user directory connector, the Users table name and Attributes table name must be prefaced by the owner of those tables. For example: OWNER.USERS instead of only USERS.- Attributes table name The name of the table containing the user attributes. Include the file extension in the table name, for example: Table.csv. Information noteWhen setting up an Oracle ODBC user directory connector, the Users table name and Attributes table name must be prefaced by the owner of those tables. For example: OWNER.USERS instead of only USERS.- Visible connection string The visible part of the connection string that is used to connect to the data source. Specify one of the following:
- A full connection string, for example: Driver={SQL Server Native Client 11.0};Server=localhost;Database=Users;Trusted_Connection=yes;
- Driver must point to a driver currently on the machine. In the ODBC Data Source Administrator, check which driver to specify. Search for "data source" to find the application.
- Server must point to the server that you want to connect to.
- Database must point to the database where the tables are.
- Trusted_Connection=yes may be required, depending on the setup. In this example it is required.
- A pointer to an established System DSN, for example, dsn=MyDSN;
Information noteThe two connection strings are concatenated into a single connection string when making the connection to the database.- Encrypted connection string The encrypted part of the connection string that is used to connect to the data source. Typically, this string contains user name and password.
Example:
Assume that you have a connection string as follows:
Driver={Microsoft Access Driver (.mdb)};Dbq=C:\mydatabase.mdb;Uid=Admin;Pwd=verySecretAdminPassword;
You do not want to store that connection string in the database as it is, because the secret password would then be visible to others. To protect the password, do the following:
Save the first part:
Driver={Microsoft Access Driver (.mdb)};Dbq=C:\mydatabase.mdb;
in the Visible connection string field, and the second part:
Uid=Admin;Pwd=verySecretAdminPassword;
in the Encrypted connection string field. The second part is then stored encrypted in the database and is not shown when you open the UDC again for editing.
Information noteThe two connection strings are concatenated into a single connection string when making the connection to the database.- Synchronization timeout (seconds) The timeout for reading data from the data source. 240 The Advanced property group contains the advanced LDAP connector properties in the Qlik Sense system.
Advanced properties Property Description Default value Additional LDAP filter Used as the LDAP query to retrieve the users in the directory. - Synchronization timeout (seconds) The timeout for reading data from the data source. 240 Page size of search Determines the number of posts retrieved when reading data from the data source. When the specified number of posts have been found, search is stopped and the results are returned. When search is restarted, it continues where it left off.
Tip note If the user synchronization is unsuccessful, try setting the value to '0' (zero), which is equal to not doing a paged search.2000 (For ApacheDS: 1000)
Use optimized query This property allows Qlik Sense to optimize the query for directories containing many groups in proportion to the number of users retrieved.
Warning noteTo be able to use the optimization, the directory must be set up so that the groups refer to the users. If the directory is not set up correctly, the optimized query will not find all groups connected to the users.This property is only visible for Generic LDAP and Active directory search, (Active Directory always uses optimization).
Not selected Authentication type Optional. Authentication type to connect to LDAP.
The values can be comma separated.
Values: Secure, Encryption, SecureSocketsLayer, ReadonlyServer, FastBind, Signing, Sealing, Delegation, ServerBind.
Information noteTo support "LDAP Channel Binding and LDAP Signing in Active Directory and Generic LDAP UDCs", use the following Authentication type values: Secure,Signing.FastBind or Anonymous, based on the credentials settings. The Advanced property group contains the advanced LDAP connector properties in the Qlik Sense system.
LDAP advanced properties Property Description Default value Page size Determines the number of posts retrieved when reading data from the data source. When the specified number of posts have been found, search is stopped and the results are returned. When search is restarted, it continues where it left off.
Tip note If the user synchronization is unsuccessful, try setting the value to '0' (zero), which is equal to not doing a paged search.2000 (For ApacheDS: 1000)
Use optimized query This property allows Qlik Sense to optimize the query for directories containing many groups in proportion to the number of users retrieved.
Warning noteTo be able to use the optimization, the directory must be set up so that the groups refer to the users. If the directory is not set up correctly, the optimized query will not find all groups connected to the users.This property is only visible for Generic LDAP, Advanced LDAP, and Active directory search (Active Directory always uses optimization).
Not selected Timeout (seconds) The timeout for reading data from the data source. 400 Authentication type Authentication type to connect to LDAP.
Options: Anonymous, Basic, Negotiate, NTLM, Digest, Sicily, DPA, MSN, External, Kerberos.
- Flags Flags to mention LDAP connection session settings. Multiple values can be specified, comma separated.
Tcpkeepalive: Enables TCP keep-alive.
Autoreconnect: Enables Autoreconnect.
Rootdsecache: Enables the internal RootDSE cache.
Sealing: Enables Kerberos encryption.
Secure socket layer or ssl: Enables secure socket layer on the connection.
Signing: Enables Kerberos encryption.
Connectionless: Specifies whether the connection is UDP.
No_fqdn: Use this flag if host in the Host field is given as an IP address.
noclientcert: Skip the default callback function used to specify client certificates when establishing an SSL connection.
NoCertVerify: Skip server certificate verification when an SSL connection is established.
Information noteDon't use NoCertVerify and Certdebug together.Certdebug: Get specific server certificate validation errors, if any, for debugging.
AllProps: Fetch all attributes of the LDAP object.
- Locator flags Locator flag for DC locator. Multiple values can be specified, comma separated.
None
ForceRediscovery
DirectoryServiceRequired
DirectoryServicePreferred
GCRequired
PdcRequired
IPRequired
KdcRequired
TimeServerRequired
WriteableRequired
GoodTimeServerPreferred
AvoidSelf
OnlyLdapNeeded
IsFlatName
IsDnsName
ReturnDnsName
ReturnFlatName
- Search LDAP filter Optional LDAP filter query. - Protocol version LDAP protocol version to use. 3 Simple authentication and security layer (SASL) method SASL Binding method:
gssapi
external
gss-spnego
digest-md5
- Certificate path Path of the client certificates to send for authentication. - Tip noteUse the Additional LDAP filter in the property group Advanced to apply a filter that retrieves only a selection of the users.Information noteThe directory entry attributes are case-sensitive.Directory entry attribute properties Property Description Default value Type
The attribute name that identifies the type of directory entry (only users and groups are used by the LDAP UDC). objectClass User identification The attribute value of the directory entry that identifies a user.
inetOrgPerson Group identification The attribute value of the directory entry that identifies a group. group Account name The unique user name (within the UDC) that the user uses to log in. sAMAccountName Email The attribute name that holds the emails of a directory entry (user). mail Display name The full name of either a user or a group directory entry. name Group membership The attribute indicates direct groups that a directory entry is a member of. Indirect group membership is resolved during the user synchronization.
This setting, or the one below, Members of directory entry, is allowed to be empty, which means that the group membership is resolved using only one of the two settings.
memberOf Members of directory entry The attribute name that holds a reference to the direct members of this directory entry.
See also the Group membership setting, above.
member Custom attributes (only Advanced LDAP) Extra LDAP object attributes to be retrieved. The custom attributes can be used in security rules and license assignment rules.
Separate multiple custom attributes with commas.
For an example of using custom attributes, see Qlik Sense Enterprise on Windows: How to sync custom attributes from Active Directory with Advanced LDAP.
- Information noteThe directory entry attributes are case-sensitive.Entry properties Property Description Default value Type
The attribute name that identifies the type of directory entry (only users and groups are used by the ApacheDS UDC). objectClass User identification The attribute value of the directory entry that identifies a user.
inetOrgPerson Group identification The attribute value of the directory entry that identifies a group. groupOfNames Account name The unique user name (within the UDC) that the user uses to log in. uid Email The attribute name that holds the emails of a directory entry (user). mail Display name The full name of either a user or a group directory entry. cn Group membership The attribute name that indicates direct groups that a directory entry is a member of. Indirect group membership is resolved during the user synchronization.
This setting or the one below, Members of directory entry, is allowed to be empty, which means that the group membership is resolved using only one of the two settings.
- Members of directory entry The attribute name that holds a reference to the direct members of this directory entry.
See also the Group membership setting, above.
member Tags properties Property Description Tags Tip noteIf no tags are available, this property group is empty.Connected tags are displayed under the text box.
Click Apply to save your changes. If a mandatory field is empty, Apply is disabled. -
Click Apply in the action bar to create and save the user directory connector.
Successfully added is displayed at the bottom of the page.
You have now created a new user directory connector and a new User synchronization task is created by default for the new user directory connector.
The User Directory Connector (UDC) is not operational is displayed if the configuration of the connector properties does not enable communication with the user directory. Check the UserManagement_Repository log at this location: %ProgramData%\Qlik\Sense\Log\Repository\Trace.
The User Directory Connector (UDC) is not configured is displayed if the User directory name is already used or if the field is empty.