Pardon this intrusion, but am having a similar issue with a school and have come to the following conclusion (I use the command line sync from a Linux server):
The command line sync reads the LDAP server and config for OU's from the DB but doesn't really check for validity of the Person/Internet Schema (which is what you are after with Moodle). The CLI script, just hits the OU(s) and ask for ALL objects and within context IF you have the box checked.
So, IF, the OU's are not really pointed to say staff and student in such a fashion that the objects seen are the Person/Internet Schema objects, one gets tons of junk. No names, no email addresses, etc. ... and maybe 10's of thousands of records when the student/teacher population is under 9000.
You really need an additional tool to browse LDAP tree/forest whever the heck M$ folks call it.
With that tool and making queries of OU=student,DC=xxx,DC=xx,DC=xx does one see the objects you've mapped in Moodle (might not have those mappings locked to start with, BTW).
So, basically, I'd really check the configuration of LDAP ...
Here's an example (changed some things to obsecure the entity site). This is an example, and like web sites, there isn't really ONE way to do things. This one, however, works like a champ for the single Moodle instance the ISD has for all their Elementary Schools (4).
OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
Has Child Objects (4 - one for each elementary school)
One of them is:
OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
Taking just the one for Cline above:
OU=102_Staff,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
OU=102_Students,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
OU=102_Teachers,OU=102_Cline,OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
So if I point Moodle to:
OU=_Elementary_Schools,OU=someisd,DC=someisd,DC=net
I'll get back ALL Elem campuses and their respective child objects
for Staff, Students, Teachers.
And in each of those one will see:
sAMAccountName, sn, st, name, mail, givenname
etc. ... i.e., those fields you've mapped in the mdl_user table.
And a 'discalmer' ... nope, spelled it right ... I'm NOT an LDAP admin person but have to collaborate with the person who is to get Moodles to find what it needs and NOT a bunch of junk.
Hoping this helps!
'spirit of sharing', Ken