You scheduled the "LDAP - Synchronize New and Changed Users" to run nightly at 2am. You are seeing users become reactivated after you inactivated them. 

Sometimes this doesn't happen for a week or longer, it's not always the next day.   Your Identity access team does not remove the group for a user upon termination, rather they set the account to an inactive state.

Can the "LDAP - Synchronize New and Changed Users" job only look at "active" users in LDAP?

Release : 16.0.1

Component :  PPMSEC

Speak with your LDAP team about an attribute similar to the following. The example below works for Active Directory.

(userAccountControl:1.2.840.113556.1.4.803:=512)  for active users
(!(userAccountControl:1.2.840.113556.1.4.803:=2))   to not get disabled users

Combined filter:

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This filter can be placed in the LDAP filter on the NSA Security tab.

It is recommended to test this via an LDAP client tool before implementing in Clarity.