When a user's LDAP DN changes, SAML sign in fails

When a user already has a SAML and LDAP identity and the LDAP DN changes, users will be unable to sign in via SAML until the LDAP identity is updated.

LDAP identity: provider: 'ldapmain', extern_uid: 'CN=foo,dc=example,dc=com'

SAML identity: provider: 'saml', extern_uid: 'foo'

When the user signs in via SAML and the LDAP DN has changed, GitLab will be able to look up the LDAP user by UID. However, then it will try to find an existing LDAP identity with that DN and provider and won't find anything. Since it doesn't find anything it will then try to create an LDAP identity. Because Identity has uniqueness constraints with scope on user and provider, the new LDAP identity will be invalid and sign in will be blocked.

Maybe we can instead look up users by email in GitLab and look for LDAP identities. Then, update the extern_uid appropriately.