[BE] Fix bugs with admin role LDAP sync

For the adminRolesLdapSync mutation, we need to fix the following bugs:

1. When the LDAP sync is deleted, the admin roles for users that are no longer under LDAP control should be editable again. However, it's still being marked as ldap: true, so the role cannot be edited.

2. If an admin role was already manually assigned to a user, LDAP sync won't assign the role to the user. It's supposed to assign the LDAP role.

   2025-05-05_16-54-11

3. When there are 2 LDAP configs with different roles, the user belongs to both configs, and the user does not currently have an admin role assigned, the role of the oldest config is assigned. If the user already has a LDAP-synced role, the role of the newest config is assigned. It should be one or the other (either newest role wins or oldest role wins).

   sync_order_issue

4. When one of the configs is a user filter, any LDAP user that does not match the filter will get their roles toggled between the oldest config role and No access on every sync. It should not toggle back and forth.

   2025-05-05_17-54-59

GraphQL mutations used, you will need to update the admin role IDs to match your own:

mutation add {
  ldapAdminRoleLinkCreate(input: {
    adminMemberRoleId: "gid://gitlab/MemberRole/138"
    provider: "ldapmain"
    cn: "group1"
  }) {
    errors
  }
}

mutation add2 {
  ldapAdminRoleLinkCreate(input: {
    adminMemberRoleId: "gid://gitlab/MemberRole/151"
    provider: "ldapmain"
    cn: "group2"
  }) {
    errors
  }
}

mutation add3 {
  ldapAdminRoleLinkCreate(input: {
    adminMemberRoleId: "gid://gitlab/MemberRole/152"
    provider: "ldapmain"
    filter: "(uid=john)"
  }) {
    errors
  }
}

mutation add4 {
    ldapAdminRoleLinkCreate(input: {
    adminMemberRoleId: "gid://gitlab/MemberRole/152"
    provider: "ldapmain"
    filter: "(uid=mary)"
  }) {
    errors
  }
}

mutation sync {
  adminRolesLdapSync(input: {}) {
    success
    errors
  }
}