Allow membership override when using LDAP group sync

Backend part of #343 (closed)

Adds an ldap and override attribute to Member so we can track which members are managed by LDAP and if/when they're overridden.

• Member#ldap? will tell you whether it's an LDAP member
• Member#override should be set to true if someone adds an override. Sync will then ignore it, until Member#override is set back to false.

Performance testing

All tests resulted in approximately 119,000 total members being created.

• ✅ 19 minutes - An 'update' sync (where all members already existed) updating the ldap flag once.
• ✅ 79 minutes - A full, fresh sync before changes
• ✅ 76 minutes - A full, fresh sync after changes

Although the before time was actually higher than the after time, I think there's a standard deviation in there that accounts for it. The important thing is that it's not drastically different.