Our LDAP server is configured not to hand out account details of expired accounts. Hence Moodle runs its auth_ldap_sync script each night, sees the users are missing, and deletes them from its internal database (using Delete Internal setting for Removed ext user).
The problem we've just realised, is when a user is temporarily inactive in LDAP, they are completely removed from Moodle's user database. When they become active again, they are reimported, but given a new database record ID. This has the effect of locking users out of previous objects, such as previous quiz attempts.
The solution is to change Removed ext user in the LDAP configuration page. Ideally I'd like to do this directly on our live server, but I just wanted to clarify with everyone before I did this:
Delete Internal - Does exactly that, if the external account isn't in LDAP then it will be removed from Moodle. If the account reappears in LDAP, it will be added back into Moodle, but with a new account ID.
Keep Internal - Does nothing to the account if it disappears from LDAP. As users authenticate against LDAP, if their account is inactive, their login will fail.
Suspend Internal - Suspends the account, preventing them from logging in again until the account is un-suspended. If the account is suspended in Moodle, but active in LDAP, the user cannot log in to Moodle.
I am guessing that Keep Internal is good enough. We will still want to run the ldap script with Delete Internal periodically, just to purge Moodle of completely expired accounts.
Does this make sense? Is Keep Internal the best option?