Do not allow LDAP members to be manually added to group with LDAP Group Links
When Global membership lock is not enabled, but LDAP Group Sync is, we should not allow group maintainers/owners to manually add users with LDAP identities as members of the group. It's still desirable to allow non-LDAP users as members.
The current behavior is that an LDAP member can be added, but the next Group Sync will remove them since they are likely not allowed as specified by the LDAP Group Links.
If an LDAP member should be added, they will be added either the next time that user signs in, or on the next LDAP sync (hourly), so manual addition isn't necessary.
This change will have several positive effects:
- Less confusion for group maintainers/owners if they add an LDAP user and then they disappear later.
- Better compliance for organizations that don't need the global lock but still want to ensure LDAP users have the correct access. Previously the model was more of an 'eventually compliant' situation but now it would be 'always compliant'.
- Still allows flexibility to add non-LDAP users for organizations that don't want the global lock.