See discussion http://moodle.org/mod/forum/discuss.php?d=86007
I have been using CAS authentication (based on LDAP) for two years, running auth_ldap_sync every night.

With Moodle 1.6, the users were deleted when they disappear from valid LDAP branch. And they were revived when they reappear in this branch. That was perfect for me.

Since Moodle 1.7:

• either the users are suspended; they cannot no longer connect to Moodle but they still appear in Moodle, in particular as course participant because their enrolments were not deleted
• either the users are deleted; but they will get a new account when they will reappear in valid LDAP branch

How to process users having been deleted/deactivated/suspended from LDAP? I think we need 5 different settings, from "do nothing" to "fully delete".

1) Keep internal

• does no change in Moodle
• however the user cannot log in Moodle because he cannot identify against LDAP

2) Suspend internal

• only one change in Moodle : tagged as "suspended"
• the user can no longer log in Moodle
• he still appears as course participant
• he would be be revived in Moodle if he did reappear in LDAP

3) Hide internal (new setting)

• the user is tagged as "hidden" in Moodle
• he can no longer log in Moodle
• he does no longer appear as course participant
• he would be revived in Moodle if he did reappear in LDAP (with his previous enrollments)

4) Deactivate internal (new setting, like "delete internal" in Moodle 1.6)

• the user is tagged as "deactivated" in Moodle
• he is unenrolled from his Moodle courses
• he can no longer log in Moodle
• of course he does no longer appear as course participant
• he would be revived in Moodle if he did reappear in LDAP (without any enrollment)

5) Delete internal

• the user is tagged as "deleted" in Moodle
• he is unenrolled from his Moodle courses
• his email and idnumber are cleared
• of course he can no longer log in Moodle
• of course he does no longer appear as course participant
• of course he won't be revived in Moodle if he did reappear in LDAP