What if the connection between Collibra and the LDAP server is lost?
LDAP users cannot sign in to Collibra anymore. LDAP users who were logged in before losing the LDAP connection can continue working until their HTTP session is closed. When the LDAP synchronization job is triggered manually or automatically through scheduling, a javax.naming.CommunicationException is thrown and displayed in the logs.
What happens if a mapped field of an LDAP user cannot be found for a certain entry on the LDAP server during the synchronization?
The field remains empty when the user is imported in the application. However, both the username and email address are mandatory in Collibra. If either field is not mapped in the configuration, LDAP cannot be enabled. Also, when searching for users on the LDAP server, a filter is used to make sure that only users with a username and email address are returned.
Are there any mandatory fields to map?
Yes. You have to specify at least a mapped field for the username and email fields. A user who does not have both mapped field attributes is ignored during the synchronization.
Why are there a lot of connection problems during the synchronization of users and there are no users visible in Collibra after synchronizing?
First check if the URL and credentials to connect to the LDAP servers are correct. If they are, but the problem persists, it could be related to the paging.
Paging is only possible if your LDAP server supports it. It also requires the connection to remain open during the synchronization process, to keep track of which page is to be processed next.
Paging is enabled by default and can be disabled by entering '0' in the User page size field.
Is the synchronization job really necessary?
No. If you disable the synchronization job, users can still be authenticated in the application. Each time the user logs in, personal information is updated and reflected in Collibra. However, a user's personal information is not visible until the first sign-in to the application. This way the user is not known yet to the application. You also need the synchronization job to enable Groups from LDAP. These are only synchronized in the job, unless you have mapped the groups as an attribute of the user. Then the groups will be taken in on the first encounter as the group of a user who is signing in.
What if usernames from LDAP don't comply with Collibra's username requirements?
If a username coming from LDAP does not meet the username requirements of Collibra then this user is skipped during synchronization.
To avoid this problem, ensure that your usernames from LDAP meet the Collibra username requirements.
- General requirements:
- Uniqueness: Duplicate usernames are not allowed, regardless of their capitalizationExample
usernamecaseandUserNameCaseare considered duplicates. - No leading or trailing spaces
- No empty usernames
- Maximum of 255 characters
- Uniqueness: Duplicate usernames are not allowed, regardless of their capitalization
- Character limitations: Usernames may contain only the characters in the following Unicode categories:
- Letter
- Number
- Symbol
- Punctuation
- Non-spacing marks
What happens if I change the LDAP configuration while a synchronization is ongoing?
If you change the LDAP configuration to point to a different server while a synchronization with the initial server is ongoing:
- The synchronization with the initial server is stopped
- The status of all the users that were imported from the initial server is changed to disabled.
- A synchronization with the newly configured LDAP server starts.
- The password status of the users that were imported from the new server is set to active.