Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

LDAP Filter for multiple groups in Qlik Sense Enterprise on Windows

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

LDAP Filter for multiple groups in Qlik Sense Enterprise on Windows

Last Update:

May 12, 2021 9:18:56 AM

Updated By:

Sonja_Bauernfeind

Created date:

Jan 30, 2015 1:44:01 PM

The syntax to use when adding multiple AD groups in the LDAP filter is listed below.

 

Environment:

Qlik Sense Enterprise on Windows 

 

The LDAP syntax for a filter like our example above would be teo "OR" elements together with the "|" character (called the pipe character):

(|( condition 1)( condition 2))

So your conditions for the filter would look like this:

(|(memberof=CN=BOBJ ADMIN LASH,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc)(memberof=CN=BO Admin,OU=Security Groups,OU=LashGroup,DC=clt,DC=lash,DC=loc))

The "OR" operator is used for multiple groups, and uses a "pipe" symbol. The "AND" operator is used inversly to make a very specific query, and uses a "&" symbol.

It is recommended to always test outside of Qlik Sense prior to applying any changes. See Qlik Sense: How to create a filter in Directory Connector (and test it) for further steps

More information about LDAP filters for Active Directory can be found here: https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx


Basic LDAP Filter Syntax and Operators


LDAP filters consist of one or more criteria. If one than more criterion exist in one filter definition, they can be concatenated by logical AND or OR operators. The logical operators are always placed in front of the operands (i.e. the criteria). This is the so-called 'Polish Notation'. The search criteria have to be put in parentheses and then the whole term has to be bracketed one more time.

 

AND Operation: 

(& (...K1...) (...K2...))   or with more than two criteria:   (& (...K1...) (...K2...) (...K3...) (...K4...))

OR Operation:

(| (...K1...) (...K2...))   or with more than two criteria:     (| (...K1...) (...K2...) (...K3...) (...K4...)) 

 Nested Operation:

Every AND/OR operation can also be understood as a single criterion:

(|(& (...K1...) (...K2...))(& (...K3...) (...K4...)))  

Note: Wildcards are not allowed in the case of memberOf and distinguishedName. Specify the full DN of the objects. This is not a Qlik Sense limitation but a general LDAP limitation/rule.

 

Related Content:

Qlik Sense : Example of a LDAP filter to sync users in a group 
Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector 

Labels (1)
Comments
jaishree_Qlik
Partner - Contributor III
Partner - Contributor III

When I am using OR Operation

OR Operation:

(| (...K1...) (...K2...))   or with more than two criteria:     (| (...K1...) (...K2...) (...K3...) (...K4...)) 

the users from K3 group becomes inactive.

My users are admin , dev and analyst hence K1 = Admin and K2 = Dev are active whereas K3 = Analyst are inactive.

Damien_Villaret
Support
Support

Hello @jaishree_Qlik 

I've just tested with 3 groups and it just works fine for me. 

(|(memberof=CN=groupA,CN=Users,DC=domain,DC=local)(memberof=CN=groupB,CN=Users,DC=domain,DC=local)(memberof=CN=groupC,CN=Users,DC=domain,DC=local))

I have userA,userB,userC in each group and everyone is synced and not disabled.

Could there be a mistake in the path to the group for K3 ?
Does simply using (| (...K1...) (...K3...)) actually fetch the users from K3/make them active ?

jaishree_Qlik
Partner - Contributor III
Partner - Contributor III

For testing it local server I used this syntax and still not able to see users active .

(| (memberOf=CN=QlikUser,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAdmin,OU=My Users,DC=hp,DC=local)
(memberOf=CN=QlikAnalyzer,OU=My Users,DC=hp,DC=local))

 

QlikUser - Active

QlikAdmin - Not Active

QlikAnalyzer - Not Active

jaishree_Qlik
Partner - Contributor III
Partner - Contributor III

Please do not format it with enter button , just give one space between groups ...it will work.

maknae
Contributor
Contributor

The issue arises when I combine the below two groups with an OR condition; individually, they function correctly, i have already tried the above solution @jaishree_Qlik  @Sonja_Bauernfeind  

@Damien_Villaret 

(&(objectCategory=person)(objectClass=user)
(| (memberof=CN=QlikUser,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local)         (memberof=CN=QlikAdmin,OU=Groups,OU=My Users,OU=Regular,DC=hp,DC=local)))

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @maknae Before beginning to troubleshoot with a Qlik Product, please verify that the filer works correctly in a third-party tool. See LDAP server testing using an LDAP browser to verify LDAP filters for Qlik products for an example.

If the filter does not return the expected results in the third-party tool, please troubleshoot further with your active directory administrator. If it does, please post about your query and what you are looking to achieve in the Qlik Sense Management and Deployment forum.

All the best,
Sonja 

Contributors
Version history
Last update:
‎2021-05-12 09:18 AM
Updated by: