Our org uses two identifiers for employees: login (internally "UVID"; this is also the cn of the user's AD record) and employee number (internally "LID"). LID is unique; UVID is not unique due to ID recycling.
The issue is this: when our tenant was brought online, the LDAP import process was validated on cn = LoginId. However, since users may get married/have name changes/etc there are times when the UVID is changed. If this happens, a duplicate record with a bogus LoginId would get generated. To stop this happening, I changed LDAP import to validate on employeenumber = LID (a custom field in our Employee object).
One problem solved. New problem is, if a UVID expires, gets removed from AD, and recycled, the new user will never generate an Employee record via LDAP import because there is an existing LoginId value that doesn't match the LID for the new user. Argh!
I have no idea how to get around this problem except to manually address it when it occurs -- but then unless it gets reported to me or I scrub the LDAP import logs, I'll never know. When a UVID gets expired, the AD record is just wiped out -- this happens several years after the person has been gone but I don't know then how to remove them, since they won't be in AD anymore to trigger an update in the Employee records. Is there anyone else dealing with this particular problem or one like it? Is it obvious and I'm missing it, or am I out of luck?
Thanks in advance for your insight on this issue,