We are currently auditing the OSB Splunk user access accounts for both of our instances.
Unfortunately Splunk doesn't show or display under its user settings when an account has been disabled from LDAP (at the moment all the accounts are shown as 'Active'). Also, since user authentication has been configured by using LDAP, can you please confirm or advise why is not possible to display the status of an account in Splunk UI as disabled when they have been disabled in LDAP?
Splunk is not synchronized with the LDAP provider so it will not necessarily show the same status as the provider. The LDAP config is only used during login to authenticate the user and get the group(s) to which they are a member.
--- If this reply helps you, Karma would be appreciated.