QA-T123

In LDAP Group-Restricted Mode, user deactivation is only temporary. When users who have an existing but deactivated user record log in again, they should be immediately reactivated. This is because LDAP is meant to be the source of truth in this configuration, and if LDAP says that a user can log in, we need to let them log in, even if they're deactivated in Tulip. The ability to deactivate users is really just so admins can clean up old users from Tulip who may not be in LDAP anymore.