When user automatic creation is active (server.domain.ldap.auto.create=true), LDAP users are created when they try to login for the first time. There are cases where the login is not successful such as the user is not authorized to login to the system or they entered an incorrect ID. Another case is a user manually added or imported into the domain but never logged in. In these cases, the user will be in the user database but no Last Login time is reported. There are also cases where the user logged in at one time and is no longer using the system. See the example below which shows 3 users that were added using auto creation, 2 that logged in and 1 that didn't. 
- dinesh was added on April 30th, 2021 and last logged on June 3rd, 2021
- eileen was added on April 25th, 2021 but did not complete the login process
- larry added on August 19th, 2020 and logged in only that one time
Manual clean up
To clean up these users, use the Remove unused LDAP users options at the bottom of the User Manager page.
Using default settings, this will remove any LDAP users that have not logged in. That is, in this example only eileen would be removed.
If you want to also delete inactive LDAP users, you need to set a property in the domain node.properties.
property server.domain.auto.remove.unused.ldap.users.delta=nn
where nn is the number of days since the user last logged in. As an example, if this was set to 30 and the remove command had been run on the 1st of July, 2021, then eileen and larry would have been removed. If run after the 4th of July, dinesh would also be removed. Note that you can alter the setting in node.properties and refresh the environment to change the delta interval without restarting the domain server.
Automated clean up
In addition to the using the User Manager, the cleanup can be run periodically by setting 2 additional properties in node.properties.
property server.domain.auto.remove.unused.ldap.users=true
property server.domain.auto.remove.unused.ldap.users.interval=24
The first is required since the default is false. The second is optional and the default is every 24 hours. After setting these, the domain server must be recycled to put the automated process into operation. When set, the clean up process will run at startup and then once every interval. Just as with using the User Manager, this will remove LDAP users that never completed login and any that have not logged in within the delta interval.