You scheduled the "LDAP - Synchronize New and Changed Users" to run nightly at 2am. You are seeing users become reactivated after you inactivated them.
Sometimes this doesn't happen for a week or longer, it's not always the next day. Your Identity access team does not remove the group for a user upon termination, rather they set the account to an inactive state.
Can the "LDAP - Synchronize New and Changed Users" job only look at "active" users in LDAP?
Release : 16.0.1
Component : PPMSEC
Speak with your LDAP team about an attribute similar to the following. The example below works for Active Directory.
(userAccountControl:1.2.840.113556.1.4.803:=512) for active users
(!(userAccountControl:1.2.840.113556.1.4.803:=2)) to not get disabled users
Combined filter:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This filter can be placed in the LDAP filter on the NSA Security tab.
It is recommended to test this via an LDAP client tool before implementing in Clarity.