The client was satisfied and look like they will go ahead and order the new licenses (yay!) and hardware to implement it on.
Gulp! I still hadn't played with this LDAP connector so I though I better get some handle on it before the implementation went ahead. Of course, there is bountiful documentation on it in the server reference manual (well, just under 2 pages). Luckily I had recently met the genius that is Michael Robertshaw, a Solutions Consultant for QlikView in the Netherlands. With some guidance from him, I was able to get up and running.
I found a distribution of OpenLDAP for Windows and installed it on my PC. Once I had an idea of what I was doing, it was actually quite straightforward (Note - choose BDB database, not LDAP during setup and all will be well!) Once I was up and running, I used a tool called LDAP Admin to add new users and groups.
Now to the QlikView side of things. I had thought that this should be quite straightforward. It wasn't initially, but with the help of Michael I got there in the end. The important thing to know is that LDAP and Active Directory LDAP are not necessarily the same thing. There are a lot of differences. Unfortunately, the defaults for the DSP entries are AD ones so these needed to change. Also, the way that the server is specified is not as easy as I thought it should be, but easy to get right once you know.
I had thought that the correct Path entry for my server should have been:
LDAP://myserver
This is what you will see for AD. However, I also found that you need to specify the base search path in this string for me, with my settings of "mydomain.com", this was:
LDAP://myserver/dc=mydomain,dc=com
Once I added this and the correct username and password (note that the username needs to be the fully qualified name, e.g. cn=Manager,dc=mydomain,dc=com), I was able to think about the DSP settings. These are accessed via the pencil icon beside the password box. Now, this is where the Active Directory defaults will need to be changed. The defaults are:
Account Name : sAMAccountName
Directory Label : DSP1 *
Display Name : name
Distinguished Name : distinguishedName
Group member :
Group object class : group
Id Property name : sAMAccountName
LDAP Filter : (&(!(objectclass=computer))(objectGUID=*))
User member of : memberOf
User object class : user
* the directory label is how you will identify users to QlikView, e.g. in this case - DSP1\username.
With advice from Michael and some testing, I found the best settings for OpenLDAP (other LDAPs may be different - use the LDIF information to help you work it out) to be:
Account Name : cn
Directory Label : MyDomain
Display Name : displayName
Distinguished Name : dn
Group member : memberUid
Group object class : posixGroup
Id Property name : cn
LDAP Filter : (yes, this is blank!)
User member of : memberOf **
User object class : posixAccount
** memberOf (used to check users are in a group) will only work in OpenLDAP if the memberOf overlay is enabled and working.
With these settings, I am now able to use the UserManagement in Enterprise Management Console to query the LDAP directory.
I tested that it was working by creating a new document on my server and used DMS to give access to a user called MyDomain\jdoe (who was a valid user in my LDAP). I then generated a ticket for the user and connected successfully to the document.
Stephen Redmond is CTO of CapricornVentis a QlikView Elite Partner