The client was satisfied and look like they will go ahead and order the new licenses (yay!) and hardware to implement it on.
Gulp! I still hadn't played with this LDAP connector so I though I better get some handle on it before the implementation went ahead. Of course, there is bountiful documentation on it in the server reference manual (well, just under 2 pages). Luckily I had recently met the genius that is Michael Robertshaw, a Solutions Consultant for QlikView in the Netherlands. With some guidance from him, I was able to get up and running.
I found a distribution of OpenLDAP for Windows and installed it on my PC. Once I had an idea of what I was doing, it was actually quite straightforward (Note - choose BDB database, not LDAP during setup and all will be well!) Once I was up and running, I used a tool called LDAP Admin to add new users and groups.
Now to the QlikView side of things. I had thought that this should be quite straightforward. It wasn't initially, but with the help of Michael I got there in the end. The important thing to know is that LDAP and Active Directory LDAP are not necessarily the same thing. There are a lot of differences. Unfortunately, the defaults for the DSP entries are AD ones so these needed to change. Also, the way that the server is specified is not as easy as I thought it should be, but easy to get right once you know.
I had thought that the correct Path entry for my server should have been:
LDAP://myserver
This is what you will see for AD. However, I also found that you need to specify the base search path in this string for me, with my settings of "mydomain.com", this was:
LDAP://myserver/dc=mydomain,dc=com
Once I added this and the correct username and password (note that the username needs to be the fully qualified name, e.g. cn=Manager,dc=mydomain,dc=com), I was able to think about the DSP settings. These are accessed via the pencil icon beside the password box. Now, this is where the Active Directory defaults will need to be changed. The defaults are:
Account Name : sAMAccountName
Directory Label : DSP1 *
Display Name : name
Distinguished Name : distinguishedName
Group member :
Group object class : group
Id Property name : sAMAccountName
LDAP Filter : (&(!(objectclass=computer))(objectGUID=*))
User member of : memberOf
User object class : user
* the directory label is how you will identify users to QlikView, e.g. in this case - DSP1\username.
With advice from Michael and some testing, I found the best settings for OpenLDAP (other LDAPs may be different - use the LDIF information to help you work it out) to be:
Account Name : cn
Directory Label : MyDomain
Display Name : displayName
Distinguished Name : dn
Group member : memberUid
Group object class : posixGroup
Id Property name : cn
LDAP Filter : (yes, this is blank!)
User member of : memberOf **
User object class : posixAccount
** memberOf (used to check users are in a group) will only work in OpenLDAP if the memberOf overlay is enabled and working.
With these settings, I am now able to use the UserManagement in Enterprise Management Console to query the LDAP directory.
I tested that it was working by creating a new document on my server and used DMS to give access to a user called MyDomain\jdoe (who was a valid user in my LDAP). I then generated a ticket for the user and connected successfully to the document.
Stephen Redmond is CTO of CapricornVentis a QlikView Elite Partner
Hi Stephen,
ReplyDeleteMany thanks for your explanation.
I did'nt know how to set the "Base Search Path". To solve that, I set a "DefaultSearchBase" directly in Open LDAP.
I did'nt know too how to retrieve user groups.
In QEMC, in tab User, can you see groups of searched user?
Do you have the memberOf overlay configured and working?
ReplyDeleteWithout it, you won't get anything useful out of groups.
I don't know how to configure and how to active it. I'm not a LDAP guru ;-)
ReplyDeleteI will search how to do that and I will try again to retrieve user groups.
I let you know.
I want to established LDAP connection to QV server. But it is giving error- logon failure-invalid user name or bad password.
ReplyDeleteWhat is reason of comming this.
Dear all,
ReplyDeleteI am trying to setup the QlikView Server 10 SR4 64bit on a company which the access will be only from the same LAN of the company (not from outside) and the users are the same of the Domain Active Directory, otherwise they are not allowed to reach the IP (Acces Point).
I have already installed QlikView Server, opened ports 80, 443, 4747, 4780 and I can reach the access point but while trying to login it appears "Login failed".
How can I name the user CALs and also define the group of users allowed to login to QlikView from the Active Domain of the company? The users are not define on the server, only in the domain. I thought it should be in QEMC: System --> Setup --> Directory Service Connectors --> DSC@server_name --> Active Directory (or Configurable LDAP).
Please help! :)
Hi,
ReplyDeleteDo you need to open ports to allow your DSC to connect to Active Directory?
If only using Active Directory then none of the stuff above is that relevant. You should have an entry under the "Active Directory" settings in QEMC and the user running the DSC service should be able to query Active Directory (i.e. a domain user, not a local user).
If you are still having trouble, you probably need to contact your partner or qlikview support.
Stephen
Hi All,
ReplyDeleteWe have the LDAP setup done but when we use NTNAME in section access script then the LDAP users are unable to search and throws "No Connection" error message.
could you please help us if some settings is missing from our side.
We are using DMS authorization
note: We are able to search the users in QEMC-->User Management
Hello Stephen,
ReplyDeleteI have a question regarding LDAP configuration in QlikView. It is necessary that the Windows server is a member of the same domain LDAP want to connect QlikView?
No, not at all. You can connect to multiple different LDAP servers.
ReplyDeleteHi Stephen,
ReplyDeleteI have configured OpenLdap in QlikView Server version 11.2.
I can see the list of users from QVMS, I can also assign CALs to users.
Unfortunately when I try to access to QV access point with one of valid users of OpenLdap, it always responds login failed.
Note that if I login to QV access point with a user credential defined on the server (local user on the qv server win 2003), it works fine!
Can you help me?
Thanks
You can't open AccessPoint with LDAP authentication unless you use a customized Authenticate.aspx page to do so!
ReplyDeleteThere are several alternatives. If the user is already authenticated by a server, you can allow that server to request a ticket from QlikView server to authenticate the user to QlikView (Custom Ticket Exchange - CTE)
If you are using another web server, such as Apache, to authenticate the users, you can have this inject a HTTP header with the QVUSER set to the username and then configure reverse proxy to the QlikView server to /qlikview and /qvajaxzfc.
I document a number of these methods in my forthcoming book on QlikView Server and Publisher. More info soon!
Hi Stephen,
ReplyDeleteMany thanks for great article.
I am trying to achieve QlikView - OpenLdap integration with only
partial success. I have installed OpenLdap, configured it and made
sure that memberOf overlay is present. I can test it using:
ldapsearch -x -LLL -H ldap:/// -b cn=heniek@onet.pl,ou=users,dc=mycompany,dc=local dn memberof
which results in:
dn: cn=heniek@onet.pl,ou=users,dc=mycompany,dc=local
memberOf: cn=testgroup1,ou=groups,dc=mycompany,dc=local
so it definitely works on the OpenLdap side.
QlikView server (version 11) is running on local network on domain
mycompany.local (local Windows AD domain)
I can see users from OpenLdap in QlikView management console when I search for them but checking Directory Service Connector logs I can see:
(GenericLDAP.GenericLDAPItem) Looking up memberof for node heniek@onet.pl
Information (GenericLDAP.GenericLDAPItem) No memberof attribute found, aborting search
Information Resolved 0 groups for mycompany.local\heniek@onet.pl:
I have set up groups as organisationalUnit - the same users.
Under groups I have created test groups using groupOfNames class.
Users are created using inetOrgPerson - that all done using Apache Directory Studio.
My configurable LDAP setting on QlikView server are slightly different:
Directory label: mycompany.local
LDAP filter - empty
Id property name: cn
Account name property name: cn
Display name property name: cn
E-mail property name: empty
User Member of property name: memberOf
User object class value: inetOrgPerson
Group / Member match property: cn
Group id property name: cn
Group member property name: member
Group object class value: groupOfNames
I tried to use your exact settings - no success.
Would you know what the problem might be ?
Do I need to use posixAccount and posixGroup ? If so - I would need to
change the memberOf overlay not to use groupOfNames but posixGroup ?
Would it make any difference / do I have to use posixGroup / posixAccount ?
I would highly appreciate your help !
Thanks,
Adrian
Does someone have a current configuration from 2017?
ReplyDeleteDirectory label:
Cache expiry in minutes
Service timeout in seconds
LDAP filter
Id property name
Account name property name
Display name property name
E-mail property name
User member of property name
User object class value
Group / Member match property
Group id property name
Group member property name
Group object class value
Thanks Korvinus