Werk #19930: Quarantine vanished LDAP users instead of deleting them immediately
| Component | Setup | ||
| Title | Quarantine vanished LDAP users instead of deleting them immediately | ||
| Date | Jul 1, 2026 | ||
| Level | Prominent Change | ||
| Class | New Feature | ||
| Compatibility | Compatible - no manual interaction needed | ||
| Checkmk versions & editions |
|
When a user synchronized from an LDAP connection can no longer be found during synchronization, Checkmk used to delete the account immediately. From now on, such a user is instead quarantined: the account is locked for a configurable retention period but stays in place, visible to administrators. If the user reappears before the period elapses, the account is automatically unlocked and reactivated; otherwise it is deleted once the period has passed.
This matters because a synchronized account holds per-user configuration that does not come from LDAP and cannot be reconstructed from it, such as notification rules and options, contact group memberships, and personal GUI configuration (views, dashboards, favorites, preferences). If a user vanishes only temporarily - a directory outage, a migration, an overly narrow search filter, or a faulty sync - immediate deletion throws all of this away. Quarantine keeps it, so a reappearing user gets everything back automatically.
The retention period is controlled by a new global setting Quarantine LDAP users before deletion under Setup > General > Global settings > User management, defaulting to 30 days. This changes the default behavior: vanished LDAP users are now kept for 30 days rather than removed on the next sync. Disable the option to restore immediate deletion. Quarantine and reactivation events are recorded in the security audit log.