Problem

In https://gitlab.com/gitlab-org/gitlab-ee/issues/4354 we are proposing an admin-level setting to lock membership changes to LDAP sync. Under that setting, only instance administrators are allowed to manually add members to group outside of LDAP.

We should optionally extend this privilege to allow group Owners to manually add members to their group:

• Some instances may want to add users to groups/projects, but not add them to LDAP. This is common for contractors/customers.
• Manual member management will be burdensome for administrators if they're the only user type who can handle this. Frequently, admins are a very small group of privileged users.

Proposal

Allow group Owners to manually add to group membership when "allow group Owners to manage LDAP-related settings" is enabled.

• What happens when this is unchecked? Members of groups (and their subgroups/projects) are not manually editable by Owners.
• What happens when this is checked? A configuration option is exposed in group LDAP settings that reads "Lock membership of this group to LDAP". This should default to true.

When this lock is enabled, we should remove all existing users added to projects/subgroups outside of LDAP. We should inform the group owner enabling the lock that this will take place.

Availability & Testing

This feature appears to be low risk in terms of availability.

When "Lock membership of this group to LDAP" is checked, ensure that LDAP users are retained and only non-LDAP ones are removed.

Besides unit and feature tests, we should extend the admin_ldap_sync_spec end-to-end test to cover this functionality.