Description
Running the remote user sync rule does not remove users (deleted remote LDAP users, or which are not anymore members of the group configured in the sync rule), but only adds new ones.
Solution
There are two possible solutions:
1) The maximum number of the licensed users has been reached, the warning message: 'Cannot add user from LDAP server ... because the maximum user limit has been reached..' will appear.
The sync rule runs in 2 stages; it first adds users and then it removes users.
Since the rule cannot get past the first stage, user deletion will not occur.
Manual deletion or license upgrade is needed if the total number of users is greater than the current license.
2) If the warning from point 1 is not seen, and the remote user sync rule option 'Do not delete synced users when they are no longer found on the remote server' is not enabled, the rule group filter is matching the users group, and the users are still not removed, then it is highly likely that the users which should be removed were initially imported manually, not thru a sync rule.
This is by design, manually imported users will not be updated by a sync rule.
Manually deletion of those users is necessary.
Deleting all the users and then importing them only thru the sync rule is also an option if no 2FA is configured on the active users.
Related Articles
Technical Tip: FortiAuthenticator remote user sync rules
Troubleshooting Tip: Remote User Sync rules on FortiAuthenticator not assigning two-factor authentic...
