Apply ldap_blocked to GitLab users no longer matching LDAP user filter
Problem to solve
This needs to be confirmed, but let's suppose that a user gains access to a GitLab EE instance via LDAP. They happily use their credentials on the LDAP server to work in GitLab, which also utilizes a user_filter to gate the specific users who should have GitLab access.
Eventually, the user is moved out of whatever LDAP group that passes the filter and allows them GitLab access. They're still in LDAP, but they no longer pass through the filter.
Given that this user still exists in LDAP and isn't disabled, I don't think we'd apply ldap_blocked to this user - although they're now unable to use the instance, and will still take up a seat.
Proposal
If an existing user no longer matches the instance's LDAP user filter, apply ldap_blocked to the user. Check this in the daily user sync.