Related to gitlab-ce#29342 When OmniAuth providers, including LDAP, are 'disabled/no longer configured' the identities remain in the database. On its own this is not particularly a problem, except it's cruft. It technically could cause an issue if the administrator later enables the same OmniAuth provider but it has different data. To give administrators *something* to correct this, we should have a Rake task that purges identities where the provider is not configured. We should probably have the ability to set the scope - for example, the administrator may want to purge *all* invalid identities (LDAP, Kerberos, etc), or they may want to purge only `ldapmain` or something else specific.