User synchronization
By default, the user directory only synchronizes users (not groups) from the LDAP directories.
After an LDAP user has been synchronized and imported to the user directory, the user account becomes a permanent part of the user directory. If the LDAP user is later removed from the LDAP directory, the corresponding user account in the user directory is disabled. Disabled accounts remain visible in the Spotfire system but the user cannot log in.
To prevent user accounts from being disabled by failed synchronization attempts, for example caused by network errors, the
safe-synchronization option can be enabled. When this option is enabled, no user accounts are disabled solely because they could not be found during synchronization. By default, this option is not enabled because of the potential security issues.
Note: It is usually not possible to log in as a removed LDAP user anyway because the LDAP directory blocks the authentication attempt if it is also responsible for authenticating users.
User accounts may also be explicitly disabled in the LDAP directories. In this case the user accounts are disabled in the user directory, regardless of the safe synchronization setting.