LDAP User: Option to Cancel or Notify Admin of LDAP Provisioned Drupal Users when no longer found in LDAP

This should be an option. I'm changing this to a feature request because that functionality doesn't exist yet.

This can't be implemented on user logon, because their LDAP account would be missing. I think the best way to implement this is:

- have cron query N accounts every time it runs, where N is roughly (number of accounts) / (frequency of cron in hours * periodicity of cleaning all accounts) or 50; whichever is higher. Where periodicity is chosen by the admin.
- when cron runs, query for all of the N ldap associated users in batches with the oldest last checked time. Mark the drupal user accounts that are have corresponding ldap entries with the run date.
- either delete or disable accounts that do not have corresponding ldap entries, depending on user preferences.

So the UI would look like:

Remember: This functionality only works if a service account or anonymous bind is used to query ldap groups.
Note: These settings are applied to all LDAP associated accounts; from all ldap servers.
[x] When cron runs, disable LDAP Associated acounts that no longer have corresponding LDAP entries.
[ ] When cron runs, DELETE LDAP Associated acounts that no longer have corresponding LDAP entries.
____ Number of hours to check all accounts. This will determine how many accounts are checked every cron run. For example, if your cron runs every .5 hour, and you have 1000 accounts, and you set this number to 24 hours: 1000/(24 * .5) = 83. accounts will be checked every cron run.

And a field user.field_ldap_user_last_checked would be added to have a unix timestamp on it.

Here's the status of this issue:

The UI is done and in 7.x-2.x-dev. It just mimicks the delete drupal account options with a non action of emailing sys admin.
-------------------------------------
[Action to perform on Drupal account that no longer has a corresponding LDAP entry
O Do not check for orphaned Drupal accounts.)
O Perform no action, but email list of orphaned accounts. (All the other options will send email summaries also.)
O Disable the account and keep its content.
O Disable the account and unpublish its content.
O Delete the account and make its content belong to the Anonymous user.
O Delete the account and its content.
These actions will only occur if the query to server is successful and does not return a user entry. If the ldap server is down, all LDAP associated users will not be deleted. When initially using this option, its best to simply check email and delete the accounts by hand. When you are happy with the behavior, switch to one of the automated options.

Number of users to check each cron run. __
-------------------------------------

To do:

• the code in ldap_user/ldap_user.cron.inc _ldap_user_orphans() is partially finished and completely untested. it needs to be finished and tested.
• it needs simpletest coverage. Not sure about simpletest coverage of cron driven code. May be adequate to simply call _ldap_user_orphans() in the simpletest and avoid cron context.

Yes. There is a thread just for the status of the module. Its #1115704: Version and Releases Status Updates.