When LDAP search runs either manually or automatically, users are deactivated who should not have been deactivated. This happens because the user who was deactivated did not match any user returned from the LDAP search.
To fix this, check the steps below to ensure the user is properly configured:
- Is this user returned with the User Filter that's configured in the System Console > Authentication > LDAP ?
- You can test this by using ldapsearch.
- Has the attribute that you've configured for their ID Attribute changed recently? New email, username, etc?
- If this is the case, you'll need to update the database to contain their new ID attribute as ID attributes are not designed to change.
- For the future, you may want to select an ID attribute that is more unique.
- When you query the Mattermost Database with
select * from Users where Username='their username';does the
AuthDatafield match identically to the value returned for their ID Attribute?
- These two values must match or the user will be deactivated. You can refer to step 1 or 2 for how to fix this.
If you answer any of the above with "no", then you'll want to resolve the issue first before attempting another LDAP sync.