One LDAP user disabled on every sync

Summary
Mattermost Enterprise disables a particular LDAP user on every sync

Steps to reproduce
Unknown. The same user can log in to other tools with LDAP credentials. We don’t have any LDAP filters set up that would require group membership. I’ve checked the LDAP properties against username and email. I compared the user record against a good user in the database and couldn’t spot any difference. The logs show the user getting disabled on sync, but nothing that tells me more about why. We have 3xx users on a 500 seat license and this is the only problem user.

Currently running 5.31, getting ready to move to 10.x. Same behavior in 10.x with db migrated incrementally to the new version. No way to manually enable LDAP users in 10.x as that feature was removed.

Expected behavior
LDAP user remains enabled after sync. I’m sure there’s some mismatch between LDAP and what Mattermost expects, but I don’t know what it might be. Looking for hints on what Mattermost actually looks at in the LDAP record since username and email appear to match and the user is not disabled in LDAP.

Observed behavior
LDAP user becomes disabled after sync

Welcome to the forums, jfath! And thanks for the detailed report. When a single LDAP user is disabled on each sync it usually means the account isn’t returned by your LDAP search or its mapped attributes don’t match, so please double-check your AD/LDAP settings (especially the immutable ID Attribute like objectGUID and the Login ID/Username attributes), use the Test buttons to validate this specific user, and review these guides: AD/LDAP setup, Authentication settings (attribute mapping), and this KB on LDAP deactivating users unexpectedly.