Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Resolving Groups With The Configurable LDAP Directory Service Connector

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Resolving Groups With The Configurable LDAP Directory Service Connector

Last Update:

Oct 1, 2020 9:18:05 AM

Updated By:

Sonja_Bauernfeind

Created date:

Oct 16, 2012 8:47:51 AM

This article describes how to resolve groups with the configurable LDAP Directory Service Connector using either LDAP or LDAPS.

Basics

Group and User example

Groups and Users in an LDAP directory can be set up in very different ways. Record samples can often be exported into LDIF file format, which enables analyzing and identifying how to configure the LDAP connection. 

A group record in LDIF format can look as follows:

Dn: cn=Group1,ou=Groups,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: Group1
uniqueMember: uid=User1,ou=Users,dc=domain,dc=com
uniqueMember: uid=User2,ou=Users,dc=domain,dc=com
uniqueMember: uid=User3,ou=Users,dc=domain,dc=com


This group example has the following characteristics:

  • The Distinguished Name of the group is: “cn=Group1,ou=Groups,dc=domain,dc=com”
  • The Group ObjectClass is “GroupOfUniqueNames”
  • The group has a “cn” (common name) attribute which can be used to identify the group
  • The attribute holding the list of members is “uniqueMember”
  • Members listed in “uniqueMember” are identified by their Distinguished Name


A user record in LDIF format can look as follows:

Dn: uid=User1,ou=Users,dc=domain,dc=com
objectClass: inetOrgPerson
cn: John
sn: Smith
uid: User1
displayName: John Smith, User1
mail: user1@domain.com
memberOf: Group1
memberOf: Group2


The following characteristics can be identified in this user entry:

  • The Distinguished Name of the user is: “uid=User1,ou=Users,dc=domain,dc=com“
  • The User ObjectClass is “inetOrgPerson”
  • The user has a “uid” attribute which can be used to identify the user
  • The “mail” attribute holds the mail address of the user
  • There is a “displayName” attribute which can be used for displaying the user in a list of users
  • This user has an attribute, “MemberOf”, which identifies the groups the user is a member of
  • Groups listed in memberOf attribute are identified with a string that corresponds to the “cn” attribute of the group the user is a member of.


Also, it can be seen that the Base DN beneath which the example user and group are located is “dc=domain,dc=com”.

 

How to configure a Configurable LDAP DSP

The first parameter which is needed is the Path parameter, which is constructed in the following way:

ldaps001.png
 

Here we can see that the Path string starts with LDAP:// and is followed by the hostname and port which the Directory is listening to. The Path string is appended by the Base DN where users and groups are found under. The port is optional and defaults to 389. Base DN is also optional, but it makes sense provide it in order to limit the scope of the searches that the Configurable LDAP connector sends out. In this example where all users and groups are under dc=domain,dc=com, it makes sense to set the base dn to dc=domain,dc=com as in the screenshot.

To use LDAP over SSL (LDAPS), use this specify the path with LDAPS in the path parameter. Example:
LDAPS://hostname

This will utilize the default LDAPS port - 636. Note that for LDAPS, it is also necessary that the service account of the Directory Service Connector has access to a valid certificate.

We also need the credentials for connecting to the LDAP directory. These should be supplied in the User Name and password fields.

Next, what is needed is to enter the rest of the DSP settings, which are accessible from the pencil/edit icon.

The exact parameters needed for resolving groups will depend on which way groups should be resolved, from group to member or from member to group. The following parameters are applicable regardless of the direction:

Directory Label: This should be set to a name that uniquely identifies the DSP within the QlikView environment. Eg. It is important not to have two DSP’s named “DSP1”.

Cache Expiry in minutes: This parameter controls how long the DSP will keep entries in the cache.

Service Timeout in seconds: This is how long the DSP will wait for an answer before timing out.

LDAP filter: Optional LDAP search filter that can be used to filter out unnecessary entries. If provided it will be applied in addition to any other search filters that the DSP uses - also group resolution. It is usually good to put in a filter that assures that only user and group entries will be returned. For our example entries the filter
(|(objectClass=inetOrgPerson)(objectclass=groupOfUniqueNames)) would be suitable in order to only include our example entries.

ID Property name: The attribute of the user, which can be used to identify the user.

Account Name property name: Attribute of the user which should be used to identify the user within the DSP. It will also be used as a “backup” Display name in the QMC, which is used if the attribute specified in the “Display name property name” does not exist in the user entry.

Display name property name: The attribute of the user that you want to appear as the displayed name in the QMC.

Email property name: The name of the attribute that holds the mail address of the users.

Options for resolving groups

In addition to the above parameters, more parameters are needed depending on which direction group resolution should be done.
In our example, where groups contain a list of members, and users contain a list of groups where the user is a member, it would be theoretically possible to do group resolution in two directions.

In reality, it is necessary to pick one direction.

So depending on what type of Group and User entries we are dealing with it is necessary to choose one of the following options:

1) Resolving from Group to User

 

If the groups contain a list of members, group resolution can be done by looking up the groups see who is a member.

To resolve groups this way, set the remaining parameters as follows:

User member of property name: Leave this field blank, it is not used when resolving from group to user

User object class value: The objectclass of the user entries.

Group / Member match property: When resolving from groups to users, this parameter should be set to the member identifying property. In our example, the group entries contained the multi valued attribute “uniqueMember”, which held a list of member entries which were identified by their Distinguished Name. For that case the parameter should be set to “distinguishedName”. If members are identified by an attribute, for example uid, then the parameter should be set to the name of that attribute.

Group id property name: The attribute in the groups that is used to identify the groups. If the field is left blank it would default to the same value as set in ID property name.

Group member property name: The attribute of the groups which contains the list of the group members.

Group object class value: The object class of the group

Example screenshot for resolving the example entries from groups to users:

ldaps002.png

2) Resolving from User to Group

 

If the user entries contain a list of the groups which the user is a member of, it is possible to resolve groups by looking up user entries and see which group each user is a member of.

If you want to resolve groups this way you need to specify the following properties:

User member of property name: The attribute of the user that holds the list of groups that the user is a member of.

User object class value: The objectclass of the user entries.

Group / Member match property: When resolving from users to groups, this parameter should be set to the group identifying property. In our example, the user entries contained the multi-valued attribute “memberOf" which contained a list of group names which referenced the “cn” attribute of the groups. The parameter should then be “cn”.

Group id property name: The attribute in the groups that is used to identify the groups. If the field is left blank it would default to the same value as set in ID property name.

Group member property name: This parameter should be left blank when resolving from users to groups.

Group object class value: The object class of the groups

Example screenshot for resolving the example entries from user to group:

 

ldaps003.png

 

IMPORTANT: QlikView Directory Service Connector service in Windows must be restarted between configuration changes. otherwise, lookup will revert tot cached results from the previous configuration. 

Labels (3)
Contributors
Version history
Last update:
‎2020-10-01 09:18 AM
Updated by: